|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
79TA462 Smarty Rookie
Joined: 12 Nov 2009 Posts: 5
|
Posted: Tue Nov 17, 2009 2:55 am Post subject: Bug/Vuln in Smarty 3 (current SVN) |
|
|
Hello
Seems theirs a bug and vuln in v3 of Smarty when adding a specific request_uri / a specific query into the display function where it causes it to write a directory if a : and 2 // are added. Example: request_uri = ://foo. See example code below.
index.php
Code: |
ini_set('display_errors','On');
require('../libs/Smarty.class.php');
$smarty = new Smarty;
$smarty->caching =1;
$smarty->force_compile = 0;
$smarty->cache_lifetime = 3600;
$smarty->compile_check = 0;
$smarty->use_sub_dirs = 1;
$query = $_GET['q'];
$smarty->assign('query',$query);
$smarty->display('index.tpl',$_SERVER['REQUEST_URI']);
- or -
$smarty->display('index.tpl',$query);
|
Query index.php?q=://foo or index.php?q=site:http://example.com
This will write a directory within your document root if permissions are correct.
Will also output the following if display errors is on
Quote: |
Warning: mkdir() [function.mkdir]: File exists in /var/www/libs/sysplugins/smarty_internal_write_file.php on line 26
Warning: chmod() [function.chmod]: No such file or directory in /var/www/libs/sysplugins/smarty_internal_write_file.php on line 41
Warning: Smarty_Internal_CacheResource_File::include(./cache//index?q=://foobar/11/72/60/1172603085.index.tpl.php) [smarty-internal-cacheresource-file.include]: failed to open stream: No such file or directory in /var/www/libs/sysplugins/smarty_internal_cacheresource_file.php on line 54
Warning: Smarty_Internal_CacheResource_File::include() [function.include]: Failed opening './cache//index?q=://foobar/11/72/60/1172603085.index.tpl.php' for inclusion (include_path='.:/usr/share/php:/usr/share/php/smarty/:/usr/share/php/smarty/libs/') in /var/www/libs/sysplugins/smarty_internal_cacheresource_file.php on line 54 |
- Josh |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Tue Nov 17, 2009 5:47 pm Post subject: |
|
|
It's in general a bad habbit to use request vars with out sanitizing anywhere in a script.
But with the latest update of the SVN Smarty3 does now sanitize the compile_id and cache_id by replacing illegal chars with _. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|