Smarty

[ro8in]

I think there might be a code injection leak in Smarty. We are currently facing code injection problems on some of our high traffic sites. We are still figuring out where its coming from. (doing file audits etc.)

The file where the code is being injected is smarty_internal_templatebase.php

It might not be smarty, but since it happened on different installs running different code with only smarty being the same we suspect the problem is within smarty itself.

Just to give you guys heads up.

[rodneyrehm]

Please elaborate. I don't see any (obvious) point-of-entry for any sort of injection. Besides the data you pass in via the API, Smarty internally only checks a few $_COOKIE and $_SERVER values - without outputting or eval()ing their content. The only possible injection I see is is on line 322

[ro8in]

Basically what happens is that the file smarty_internal_templatebase.php is altered and some code is being added. This code is a base64 hash which eventually decodes to a popup script on all template cache files.

How they are altering this file I do not yet know at this point.. We are still working on finding their point of entry.

[rodneyrehm]

Ok, So it is not smarty_internal_templatebase.php that has a hole, but some hole somwhere allowed an attacker to modify smarty_internal_templatebase.php to run malicious code.

Now that could be anything, anywhere. They just chose smarty_internal_templatebase.php because it contains the fetch() method, which is a central piece of our rendering pipeline.

The attacker might as well have gained access to your system through something like phpMyAdmin (just an example i pulled from thin air!) and queried the disk for files it knew to modify (like our smarty_internal_templatebase.php, some central part of wordpress, …).
_________________
Twitter

[ro8in]

Yes that's exactly the case.

I don't know yet if the actual leak is within Smarty itself.

Smarty being guilty of the leak only got higher on the list because of the fact that it happened to 2 completely different systems with the only thing in common being Smarty. Besides the fact that in both cases only Smarty itself is affected.

But as of now its not a confirmed leak yet.. We are still looking into it.

[rodneyrehm]

I don't like the odds of this being a smarty issue, even though it appears to have compromised 2 distinct systems of yours. Most notably because there would've been a bunch of complaints about this from other developers as well. That said, I have a couple of questions for you:

a) is smarty accessible through HTTP (read: is it inside htdocs or not)
b) are the compiled templates accessible through HTTP (again, within htdocs or not)
c) are the two projects sharing (similar, not necessarily identical) templates or plugins?
d) are you passing any input (like $_GET['foo']) to something that might end up being a string: or eval: resource or {eval} (and thus actually evaluated as PHP)?
e) do you have things like register_globals on [truly don't see how smarty would be susceptible to that, tough]?
f) have you checked your (apache?) logs for "funky" requests?
g) are the two systems running on the same physical or virtual os? possibly even accessing centralized code? What else is running on this system?
h) What PHP version are we talking about?
i) What Smarty version are we talking about?
_________________
Twitter