CiviCRM communicates with multiple payment-processing services via SSL. In order to establish the remote payment-processing service is authentic, the SSL certificate it provides must be verified.
The following payment processors included in CiviCRM contained code which disabled verification of the certificate hostname (CURLOPT_SSL_VERIFYHOST).
- Elavon
- FirstData
- Paypal
- Payflow
- PaymentExpress
Note: This vulnerability can only be exploited by an attacker who is positioned to actively manipulate Internet traffic as it passes between one's web-server and one's payment-processor.
CiviCRM v4.3.4 and all previous versions
CiviCRM v4.3.5
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM 4.3.5+
- Manually apply the fix to your payment processor.
Manually correcting your payment processor:
If you are unable to upgrade to 4.3.5, this is a simple modification to make to your current payment processor. Identify the code in your payment processor file(s) which sets CURLOPT_SSL_VERIFYHOST to 0 or FALSE, and either
- remove the line entirely (restoring the default value of 2), or
- explicitly set the value to 2
Sites running non-core payment processors (either published CiviCRM extensions or local custom code) are encouraged to review their own payment processors. If you identify a similar vulnerability in a CiviCRM extension, please report it to the CiviCRM team immediately.
- Andrew McNaughton
- Tim Otten (CiviCRM LLC)
- Kevin McArthur