Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.
  www.smarty.net   •  phpinsider.com  •  Forum Index  •  FAQ  •  Search  •  Memberlist  •  Profile  •  Log in to check your private messages  •  Register  •  Log in
security notice in smarty [very very very dangerous]!!!

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General
View previous topic :: View next topic  
Author Message
sm@rty
Smarty Regular


Joined: 01 Oct 2014
Posts: 65
PostPosted: Fri Mar 13, 2015 8:52 pm    Post subject: security notice in smarty [very very very dangerous]!!! Reply with quote
hi

i find a security notice.

for example :

Code:
{$attacker_filename = ['attack1.php']}
{$attacker_content = ['<?php echo "hacked";?>']}
{array_map('file_put_contents',$attacker_filename,$attacker_content)}


all php function like array_map can be dangerous.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785
PostPosted: Fri Mar 13, 2015 10:04 pm    Post subject: Reply with quote
This is why you never allow random users to edit Smarty templates.
And generally disallow write access by the webserver to the parts of the site containing the code.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany
PostPosted: Sat Mar 14, 2015 5:14 am    Post subject: Reply with quote
Enable Security and allow only trusted PHP functions.
Back to top
View user's profile Send private message
sm@rty
Smarty Regular


Joined: 01 Oct 2014
Posts: 65
PostPosted: Sat Mar 14, 2015 7:06 am    Post subject: Reply with quote
U.Tews wrote:
Enable Security and allow only trusted PHP functions.


security is enabled and trusted PHP functions(please test) :

- array_map
- isset
- ...

file_put_contents function not exists in php_functions property. but attacker can execute by another function like array_map,array_filter.

some php function like array_filter,array_map and etc can execute any function because Accepts callable parameter ! so all php function can Accepts callable parameter is dangerous.

not dangerous ?
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA
PostPosted: Sat Mar 14, 2015 12:59 pm    Post subject: Reply with quote
If you trust a function like array_map you open that door yourself. Don't trust those functions, make a wrapper function instead. This only concerns template editors FYI.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP