|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
bzfshop Smarty n00b
Joined: 05 Dec 2013 Posts: 1
|
Posted: Thu Dec 05, 2013 10:01 am Post subject: [FALSE ALARM] Security Bug Confirm |
|
|
Hi guys, i met a critical smarty problem , i want to confirm whether this is a bug
1. smarty_cache = true,
php_handling = (Any option)
2.
test.tpl
<html>
{$googleStatististicCode nofilter}
</html>
3. $googleStatististicCode ="<script language=\"php\">phpinfo();</script>"
4. test.tpl would be compiled & cache as
<html>
<script language="php">phpinfo();</script>
</html>
5. and this cached page would run PHP code
php_handling does nothing to remove PHP code like
<script language="php">
Any use can use this bug to inject PHP Code and run it as will
Please Confirm whether this is a critical security bug ?
Or , is there anyway to remove/esacpe code like <script language="php">phpinfo();</script> |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Sat Dec 07, 2013 11:23 am Post subject: |
|
|
This is not a bug of Smarty. It is out of the scope of smarty to check valid html tags for security risks.
The programmer did open security holes when disabling escaping on variables or passing $_GET or $_POST variables without sanitation. |
|
Back to top |
|
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Sat Dec 07, 2013 6:32 pm Post subject: |
|
|
I'm curious so, if it was
Code: |
$googleStatisticsCode = "<?php phpinfo(); ?>";
|
and test.tpl was still
Code: |
<html>
{$googleStatististicCode nofilter}
</html>
|
would it still call phpinfo()?
what about if no variable filter was specified and we removed "nofilter," (which would be equivalent to having a variable filter and specifying nofilter) would it still call phpinfo()? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Sun Dec 08, 2013 12:10 am Post subject: |
|
|
PHP code assigned to variables will not be executed. |
|
Back to top |
|
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Sun Dec 08, 2013 7:45 am Post subject: |
|
|
U.Tews wrote: | PHP code assigned to variables will not be executed. |
Ok. You are right. I thought it was running PHP code as well. But, at first I had not put backslashes before the quotes:
Code: |
$var ="<script language="php">phpinfo();</script>" ;
|
Which made PHP run phpinfo(); before it even got to the smarty output.
After I put backslashes:
Code: |
$var ="<script language=\"php\">phpinfo();</script>";
|
it no longer ran phpinfo(); |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|