|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Tue Apr 12, 2005 10:03 pm Post subject: The "vulnerability" issues explained |
|
|
It seems that some people have been misled about the recent vulnerability issues
(and fixes) related to Smarty. Example, this security
bullitin is just dead wrong. The vulnerability issues do NOT open your
server to remote attack (as this suggests.) They only apply to Smarty
users that have untrusted third-parties editing template files. By default, you
can execute PHP functions in the templates, such as {php} echo 'foo';
{/php}. When template security is enabled, it prohibits PHP function
execution in the templates. There have been a few loopholes discovered and
patched. If you do not use template security features, then none of the
vulnerability issues apply to you. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Tue Apr 12, 2005 11:02 pm Post subject: |
|
|
Hee hee. How inelegant people are.
I thought the US-CERT site (always a little paranoid there) was a little off-base when they characterized it as a "high" security risk -- but that is way better than some of the other bulletins I read on these patches and certainly more accurate than the link Monte posted.
FWIW: the two recent security releases were predicated on messju's audits of the code base and were corrected and released in under 48 hours of each discovery. It was proactive review of the code (no known exploits) that lead to the releases. Of course, people reporting "errors" in software (particularly errors they themselves did not find) are likely to say any old thing.
Maybe we should call them "Security Enhancements" next time |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|