 |
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
| View previous topic :: View next topic |
| Author |
Message |
jonieske
Smarty n00b
Joined: 09 Feb 2011
Posts: 1
|
 Posted: Wed Feb 09, 2011 4:52 pm Post subject: Security issue with $smarty.template variable |
 |
|
Greetings,
i've been working with a software that would allow users to customize views with some templating system, so i took a shot with Smarty. Security is surely a concern, so i've been playing around for some time now looking for possible issues.
Anyway, i found a problem with $smarty.template variable, and how it's inserted into compiled php file.
If i have a template source file named '.(include 'hack.php').'.tpl containing just {$smarty.template} string, it gets compiled into following:
| Code: | | <?php echo ''.(include 'hack.php').'.tpl';?> |
Which would effectively include hack.php file.
Vulnerable code is found in sysplugins/smarty_internal_compile_private_special_variable.php file (line 60), and looks like there's several potential issues as well. I guess solution would be to simply call addslashes for inserted variable. |
|
| Back to top |
|
U.Tews
Administrator
Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany
|
| Posted: Wed Feb 09, 2011 5:50 pm Post subject: |
|
|
Thanks for your input.
This has been fixed in the SVN trunk now, |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
