Published
2013-06-05 22:23
Smarty is a template library responsible for composing web-page output in CiviCRM. If Smarty encounters an internal processing error (such as an unknown template-file or unknown template-function), then it outputs an error message. In Smarty 2.6.26 and earlier, the error message is not properly escaped and (in combination with other, unidentified flaws) may provide a vector for a cross-site scripting attack. The issue is resolved in Smarty 2.6.27 and CiviCRM 4.3.4.
Note: There are no known exploits for this issue in CiviCRM, and it is not known whether this issue is actually exploitable.
Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM v1.0.0 - v4.2.9, v4.3.0 - v4.3.3
Fixed Versions
CiviCRM v4.2.10 and v4.3.4
Solutions
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM 4.2.10 or 4.3.4+
- Manually apply the patch from Smarty.net to the file "packages/Smarty/Smarty.class.php". (See: https://code.google.com/p/smarty-php/source/detail?spec=svn4739&r=4660)
Credits
- Uwe Tews
- Neil Drumm
- CiviCRM LLC
References
- Smarty v2.x Changelog: https://code.google.com/p/smarty-php/source/browse/branches/Smarty2Dev/ChangeLog
- Smarty v2.x Patch: https://code.google.com/p/smarty-php/source/detail?spec=svn4739&r=4660
- Vulnerability Disclosure from Smarty 3.x: http://www.cvedetails.com/cve/CVE-2012-4437/ (Note: CiviCRM uses Smarty 2.x, and it appears that the vulnerability here was not formally disclosed in Smarty 2.x. However, this vulnerability disclosure from Smarty 3.x covers an analagous issue.)
- CiviCRM Issue: http://issues.civicrm.org/jira/browse/CRM-12750
CVE
CVE-2012-4437
