Smarty is a template library responsible for composing web-page output in CiviCRM. If Smarty encounters an internal processing error (such as an unknown template-file or unknown template-function), then it outputs an error message. In Smarty 2.6.26 and earlier, the error message is not properly escaped and (in combination with other, unidentified flaws) may provide a vector for a cross-site scripting attack. The issue is resolved in Smarty 2.6.27 and CiviCRM 4.3.4.
Note: There are no known exploits for this issue in CiviCRM, and it is not known whether this issue is actually exploitable.
CiviCRM v1.0.0 - v4.2.9, v4.3.0 - v4.3.3
CiviCRM v4.2.10 and v4.3.4
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM 4.2.10 or 4.3.4+
- Manually apply the patch from Smarty.net to the file "packages/Smarty/Smarty.class.php". (See: https://code.google.com/p/smarty-php/source/detail?spec=svn4739&r=4660)
- Uwe Tews
- Neil Drumm
- CiviCRM LLC
- Smarty v2.x Changelog: https://code.google.com/p/smarty-php/source/browse/branches/Smarty2Dev/ChangeLog
- Smarty v2.x Patch: https://code.google.com/p/smarty-php/source/detail?spec=svn4739&r=4660
- Vulnerability Disclosure from Smarty 3.x: http://www.cvedetails.com/cve/CVE-2012-4437/ (Note: CiviCRM uses Smarty 2.x, and it appears that the vulnerability here was not formally disclosed in Smarty 2.x. However, this vulnerability disclosure from Smarty 3.x covers an analagous issue.)
- CiviCRM Issue: http://issues.civicrm.org/jira/browse/CRM-12750