Pubblicato
2015-03-04 12:05
The Smarty templating engine includes a defect in which a specially named Smarty template could be used to execute PHP code.
An exploit of this vulnerability in CiviCRM has not been identified. Exploiting it requires that an attacker have permission to set the name and content of a template file; in CiviCRM deployments, this permission is generally only available to system administrators. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.
Security Risk
Not Critical
Vulnerability
Other
Affected Versions
CiviCRM v4.5.0 - v4.5.6
CiviCRM v4.4.0 - v4.4.12
CiviCRM v4.3.0 - v4.3.10
CiviCRM v4.2.0 - v4.2.19
Fixed Versions
CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+
Solutions
Any ONE of the following:
- Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+
- Apply https://code.google.com/p/smarty-php/source/detail?r=4779
Credits
- jonieske
- Uwe Tews
- Chris Burgess (Fuzion)
References
- http://www.smarty.net/forums/viewtopic.php?t=18815
- https://bugs.gentoo.org/show_bug.cgi?id=356615
CVE
CVE-2011-1028
