Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Bug/Vuln in Smarty 3 (current SVN)

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Smarty 3
View previous topic :: View next topic  
Author Message
79TA462
Smarty Rookie


Joined: 12 Nov 2009
Posts: 5

PostPosted: Tue Nov 17, 2009 2:55 am    Post subject: Bug/Vuln in Smarty 3 (current SVN) Reply with quote

Hello

Seems theirs a bug and vuln in v3 of Smarty when adding a specific request_uri / a specific query into the display function where it causes it to write a directory if a : and 2 // are added. Example: request_uri = ://foo. See example code below.

index.php
Code:

ini_set('display_errors','On');
require('../libs/Smarty.class.php');

$smarty = new Smarty;

$smarty->caching =1;
$smarty->force_compile = 0;
$smarty->cache_lifetime = 3600;
$smarty->compile_check = 0;
$smarty->use_sub_dirs = 1;


$query = $_GET['q'];

$smarty->assign('query',$query);
$smarty->display('index.tpl',$_SERVER['REQUEST_URI']);
- or -
$smarty->display('index.tpl',$query);


Query index.php?q=://foo or index.php?q=site:http://example.com

This will write a directory within your document root if permissions are correct.

Will also output the following if display errors is on


Quote:

Warning: mkdir() [function.mkdir]: File exists in /var/www/libs/sysplugins/smarty_internal_write_file.php on line 26

Warning: chmod() [function.chmod]: No such file or directory in /var/www/libs/sysplugins/smarty_internal_write_file.php on line 41

Warning: Smarty_Internal_CacheResource_File::include(./cache//index?q=://foobar/11/72/60/1172603085.index.tpl.php) [smarty-internal-cacheresource-file.include]: failed to open stream: No such file or directory in /var/www/libs/sysplugins/smarty_internal_cacheresource_file.php on line 54

Warning: Smarty_Internal_CacheResource_File::include() [function.include]: Failed opening './cache//index?q=://foobar/11/72/60/1172603085.index.tpl.php' for inclusion (include_path='.:/usr/share/php:/usr/share/php/smarty/:/usr/share/php/smarty/libs/') in /var/www/libs/sysplugins/smarty_internal_cacheresource_file.php on line 54


- Josh
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Tue Nov 17, 2009 5:47 pm    Post subject: Reply with quote

It's in general a bad habbit to use request vars with out sanitizing anywhere in a script.

But with the latest update of the SVN Smarty3 does now sanitize the compile_id and cache_id by replacing illegal chars with _.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Smarty 3 All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP