The Smarty templating engine includes a defect in which a specially named Smarty template could be used to execute PHP code.
An exploit of this vulnerability in CiviCRM has not been identified. Exploiting it requires that an attacker have permission to set the name and content of a template file; in CiviCRM deployments, this permission is generally only available to system administrators. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.
CiviCRM v4.5.0 - v4.5.6
CiviCRM v4.4.0 - v4.4.12
CiviCRM v4.3.0 - v4.3.10
CiviCRM v4.2.0 - v4.2.19
CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+
Any ONE of the following:
- Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+
- Apply https://code.google.com/p/smarty-php/source/detail?r=4779
- jonieske
- Uwe Tews
- Chris Burgess (Fuzion)
- http://www.smarty.net/forums/viewtopic.php?t=18815
- https://bugs.gentoo.org/show_bug.cgi?id=356615