CiviCRM 4.1.3 includes a fix for a security issue I recently reported, where CiviCRM incorrectly retained customer credit card data after transaction completion.
Here’s a hotfix for sites which can’t upgrade immediately, and an SQL query to identify if you’re affected.
In the process of validating form submissions serverside, CiviCRM’s form cache may retain sensitive data. I discovered and reported to the CiviCRM team a set of circumstances where this was occurring. As usual they were extremely responsive, and a short time later the release of v4.1.3 has been co-ordinated.
Please note that in order to take advantage of the cached data, an attacker would need to obtain access to your database backups directly. Users without access to the DB or backup files do not have access to this sensitive information. For this reason (and to save yourself time and diskspace), it’s prudent to exclude the cache and temp tables from backups.
As the fix isn’t available for earlier CiviCRM releases, I’m making available a Drupal module available which implements a similar fix for earlier versions of CiviCRM. CiviCRM sites have various levels of customisation in place, and upgrading to the latest codebase at short notice isn’t always an option.
If your customers enter credit card details on your site, check your DB now:
My advice is to upgrade to the latest release if at all possible, and to use this module as an option of last resort or as a temporary stopgap until you can upgrade. See the CiviCRM 4.1.3 release announcement for more info.
I hope to push this fix forward so that CiviCRM is able to prevent sensitive data from entering the cache, rather than purging it after the fact.
- CRM-11030 – Credit card information not correctly removed from cache table
- CRM-12132 – CiviCRM temporarily stores credit card details to DB
- SQL to check if your civicrm_cache table contains CC data
The module is now available through Drupal.org, so that sites using it may take advantage of Drupal’s built-in update notification functionality. Only do this if you can’t upgrade to the latest CiviCRM!
Please download the Drupal module for your Drupal version at http://drupal.org/project/cccccc
A module for WordPress sites is available. It will be available through WordPress.org shortly, but for now you can download it from here.
Please download the WordPress plugin here: cccccc-wordpress-1.0.tgz
As CiviCRM-WordPress compatability is recent, you are strongly encouraged to consider upgrading to current CiviCRM rather than using this hotfix module.
Implementing the same module for Joomla should be straightforward. I’d like to hear from any Joomla devs or sites who are interested in getting this in place.