CIVI-SA-2021-02: Web Executable Utility Scripts

Gepubliceerd
2021-03-09 09:00
Written by

The development tree for CiviCRM includes a handful of utility scripts in the folders "sql/" and "tools/". These scripts may manipulate data (e.g. generating fake contact records), and they lacked guards to protect from remote/malicious use.

This issue does not affect most deployments which use the standard CiviCRM releases ("*.tar.gz" or "*.zip"). The issue primarily affects developmental/testing systems or highly-customized deployments which directly read from CiviCRM's source code-management system ("git").

 

Security Risk
Not Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM versions 5.35.0 and earlier, if deployed directly from git

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date
Solutions

Any ONE of these would be sufficient:

  • Deploy with a standard CiviCRM tarball (instead of using "git")

  • Upgrade to the latest version of CiviCRM

  • Delete or block remote access to any *.php files in the "civicrm/sql/" or "civicrm/tools" folder

 

Credits

Tim Otten of CiviCRM Core for reporting the issue

Seamus Lee of JMA Consulting / CiviCRM Core and Rich Lott of Artfulrobot for fixing the issue

Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix

References

security/core#97