Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.
Security issue with $smarty.template variable

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
jonieske
Smarty n00b


Joined: 09 Feb 2011
Posts: 1

PostPosted: Wed Feb 09, 2011 4:52 pm    Post subject: Security issue with $smarty.template variable Reply with quote

Greetings,

i've been working with a software that would allow users to customize views with some templating system, so i took a shot with Smarty. Security is surely a concern, so i've been playing around for some time now looking for possible issues.

Anyway, i found a problem with $smarty.template variable, and how it's inserted into compiled php file.
If i have a template source file named '.(include 'hack.php').'.tpl containing just {$smarty.template} string, it gets compiled into following:
Code:
<?php echo ''.(include 'hack.php').'.tpl';?>

Which would effectively include hack.php file.

Vulnerable code is found in sysplugins/smarty_internal_compile_private_special_variable.php file (line 60), and looks like there's several potential issues as well. I guess solution would be to simply call addslashes for inserted variable.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 4625
Location: Hamburg / Germany

PostPosted: Wed Feb 09, 2011 5:50 pm    Post subject: Reply with quote

Thanks for your input.

This has been fixed in the SVN trunk now,
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP