Your message dated Wed, 28 Oct 2009 15:41:35 +0100
with message-id <[email protected]>
and subject line not relevant to smarty package
has caused the Debian Bug report #488523,
regarding smarty: CVE-2007-2326 Multiple PHP remote file inclusion
vulnerabilities in HYIP Manager Pro ...
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
488523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488523
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smarty
Version: 2.6.19
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2007-2326[0]:
| Multiple PHP remote file inclusion vulnerabilities in HYIP Manager Pro
| allow remote attackers to execute arbitrary PHP code via a URL in the
| plugin_file parameter to (1) Smarty.class.php and (2)
| Smarty_Compiler.class.php in inc/libs/; (3)
| core.display_debug_console.php, (4) core.load_plugins.php, (5)
| core.load_resource_plugin.php, (6) core.process_cached_inserts.php,
| (7) core.process_compiled_include.php, and (8)
| core.read_cache_file.php in inc/libs/core/; and other unspecified
| files. NOTE: (1) and (2) might be incorrectly reported vectors in
| Smarty.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2326
http://security-tracker.debian.net/tracker/CVE-2007-2326
The vulnerable function is _get_plugin_filepath($type, $name).
You can find its definition in Smarty.class.php:
] function _get_plugin_filepath($type, $name)
] {
] $_params = array('type' => $type, 'name' => $name);
] require_once(SMARTY_CORE_DIR .'core.assemble_plugin_filepath.php');
] return smarty_core_assemble_plugin_filepath($_params,$this);
] }
The $_params which contains the unchecked $type and $name of the
plugin which shall be inserted is not checked against RFI or other
malicious strings got via a GET requests.
Kind regards,
Thomas.
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Hi,
As stated in the bug log, there are various factors which make this issue
irrelevant to the smarty package. I'm therefore closing this bug.
Thijs
--- End Message ---
