Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.
[FALSE ALARM] Security Bug Confirm

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
bzfshop
Smarty n00b


Joined: 05 Dec 2013
Posts: 1

PostPosted: Thu Dec 05, 2013 10:01 am    Post subject: [FALSE ALARM] Security Bug Confirm Reply with quote

Hi guys, i met a critical smarty problem , i want to confirm whether this is a bug

1. smarty_cache = true,
php_handling = (Any option)

2.
test.tpl

<html>
{$googleStatististicCode nofilter}
</html>

3. $googleStatististicCode ="<script language=\"php\">phpinfo();</script>"

4. test.tpl would be compiled & cache as
<html>
<script language="php">phpinfo();</script>
</html>

5. and this cached page would run PHP code
php_handling does nothing to remove PHP code like
<script language="php">

Any use can use this bug to inject PHP Code and run it as will

Please Confirm whether this is a critical security bug ?
Or , is there anyway to remove/esacpe code like <script language="php">phpinfo();</script>
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 4507
Location: Hamburg / Germany

PostPosted: Sat Dec 07, 2013 11:23 am    Post subject: Reply with quote

This is not a bug of Smarty. It is out of the scope of smarty to check valid html tags for security risks.

The programmer did open security holes when disabling escaping on variables or passing $_GET or $_POST variables without sanitation.
Back to top
View user's profile Send private message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 537

PostPosted: Sat Dec 07, 2013 6:32 pm    Post subject: Reply with quote

I'm curious so, if it was

Code:

$googleStatisticsCode = "<?php phpinfo(); ?>";


and test.tpl was still

Code:

<html>
{$googleStatististicCode nofilter}
</html>


would it still call phpinfo()?

what about if no variable filter was specified and we removed "nofilter," (which would be equivalent to having a variable filter and specifying nofilter) would it still call phpinfo()?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 4507
Location: Hamburg / Germany

PostPosted: Sun Dec 08, 2013 12:10 am    Post subject: Reply with quote

PHP code assigned to variables will not be executed.
Back to top
View user's profile Send private message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 537

PostPosted: Sun Dec 08, 2013 7:45 am    Post subject: Reply with quote

U.Tews wrote:
PHP code assigned to variables will not be executed.


Ok. You are right. I thought it was running PHP code as well. But, at first I had not put backslashes before the quotes:

Code:

$var ="<script language="php">phpinfo();</script>" ;


Which made PHP run phpinfo(); before it even got to the smarty output.

After I put backslashes:
Code:

 $var ="<script language=\"php\">phpinfo();</script>";


it no longer ran phpinfo();
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP