Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

The "vulnerability" issues explained

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Announcements
View previous topic :: View next topic  
Author Message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Tue Apr 12, 2005 10:03 pm    Post subject: The "vulnerability" issues explained Reply with quote

It seems that some people have been misled about the recent vulnerability issues
(and fixes) related to Smarty. Example, this security
bullitin is just dead wrong. The vulnerability issues do NOT open your
server to remote attack (as this suggests.) They only apply to Smarty
users that have untrusted third-parties editing template files. By default, you
can execute PHP functions in the templates, such as {php} echo 'foo';
{/php}
. When template security is enabled, it prohibits PHP function
execution in the templates. There have been a few loopholes discovered and
patched. If you do not use template security features, then none of the
vulnerability issues apply to you.
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Apr 12, 2005 11:02 pm    Post subject: Reply with quote

Hee hee. How inelegant people are.

I thought the US-CERT site (always a little paranoid there) was a little off-base when they characterized it as a "high" security risk -- but that is way better than some of the other bulletins I read on these patches and certainly more accurate than the link Monte posted.

FWIW: the two recent security releases were predicated on messju's audits of the code base and were corrected and released in under 48 hours of each discovery. It was proactive review of the code (no known exploits) that lead to the releases. Of course, people reporting "errors" in software (particularly errors they themselves did not find) are likely to say any old thing.

Maybe we should call them "Security Enhancements" next time Smile
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP