CIVI-SA-2019-21: PHP Object Injection via Saved Search and Report Instance APIs

Published
2019-11-20 09:00
Written by

Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.

The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.

Security Risk
Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions
  • CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions
  • CiviCRM 5.19.2 and 5.13.7
Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace CEE for reporting the issue

Seamus Lee of Australian Greens, Patrick Figel of Greenpeace CEE and Tim Otten of CiviCRM for fixing the issue

References

security/core#46