CIVI-SA-2015-001 - Arbitrary file read

Gepubliceerd
2015-02-25 19:29
Written by

CiviCRM includes the dompdf library for generating PDF documents. The dompdf library includes a standalone utility script, "dompdf.php"; old versions of the script are vulnerable to an arbitrary file access issue when the system is configured with option "DOMPDF_ENABLE_REMOTE".

(Note: The original upstream advisory from the dompdf project indicates that option "DOMPDF_ENABLE_PHP" must also be enabled to exploit this vulnerability. This option appears to have no affect on the vulnerability in the version of "dompdf.php" that shipped with CiviCRM. The option is disabled by default in CiviCRM.)

Security Risk
Critical
Vulnerability
Access Bypass
Information Disclosure
Affected Versions

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v3.4 - v4.3 are not vulnerable by default but could be configured to be vulnerable.

Fixed Versions

CiviCRM v4.5.7+, v4.4.13+

Solutions

Any ONE of the following is adequate to protect against the vulnerability:

  • Upgrade to CiviCRM 4.5.7+ or 4.4.13+
  • Delete the file packages/dompdf/dompdf.php
  • In the file packages/dompdf/dompdf_config.inc.php, set define("DOMPDF_ENABLE_REMOTE", false). (NOTE: If you generate PDF documents which include images, disabling this option may break image-handling.)
Credits
  • Alejo Murillo Moya
  • Neil Drumm (drupal.org)
  • Tim Otten (civicrm.org)
  • Nicolas Ganivet (cividesk.com)
CVE
CVE-2014-2383