86488 2005-03-24 01:42 0000 dev-php/smarty Release 2.6.8 contains security fixes 2006-04-22 06:53:35 0000 1 1 1 Unclassified Gentoo Security GLSA Errors unspecified All Linux RESOLVED FIXED http://news.php.net/php.smarty.dev/2673 C1 [glsa] P2 major --- 1 akorthaus@web.de security@gentoo.org php-bugs@gentoo.org tomk@gentoo.org akorthaus@web.de 2005-03-24 01:42:55 0000 Smarty 2.6.8 Released [21-March-2005] For those using template security: A vulnerability in the regex_replace modifier has been fixed that allowed PHP code to be executed from a template, even with template security enabled. If you are using template security features, it is highly recommended to upgrade, or at least replace the modifier plugin. A problem with the {strip}{/strip} tags (that was introduced in 2.6.7) has been fixed. Casting objects to arrays in the {foreach} "item" attribute has been addressed. ChangeLog: http://smarty.php.net/misc/NEWS download: http://smarty.php.net/download.php Reproducible: Always Steps to Reproduce: 1. 2. 3. koon@gentoo.org 2005-03-24 02:16:28 0000 PHP team, please bump sebastian@gentoo.org 2005-03-24 08:32:23 0000 dev-php/smarty-2.6.8 is in portage now. koon@gentoo.org 2005-03-24 09:18:03 0000 Arches: please test and mark stable weeve@gentoo.org 2005-03-24 19:46:47 0000 Stable on SPARC. sebastian@gentoo.org 2005-03-24 21:17:45 0000 Stable on x86 and amd64. hansmi@gentoo.org 2005-03-25 01:36:08 0000 Stable on ppc. hansmi@gentoo.org 2005-03-25 13:07:22 0000 Stable on hppa, thanks to KillerFox for testing. kloeri@gentoo.org 2005-03-26 10:19:52 0000 Stable on alpha. koon@gentoo.org 2005-03-30 06:53:36 0000 GLSA 200503-35 tomk@gentoo.org 2005-04-08 06:48:51 0000 Smarty 2.6.9 has been released with some more security fixes, I'll add the ebuild soon. koon@gentoo.org 2005-04-08 06:53:49 0000 will be released as an update to GLSA 200503-35 tomk@gentoo.org 2005-04-08 08:07:00 0000 smarty{,-docs}-2.6.9 in cvs, stable on x86 and amd64. Arches please mark stable. hansmi@gentoo.org 2005-04-08 10:24:15 0000 Stable on ppc. kloeri@gentoo.org 2005-04-08 12:20:25 0000 Alpha stable. gustavoz@gentoo.org 2005-04-08 18:02:19 0000 sparc done. koon@gentoo.org 2005-04-09 09:20:01 0000 security: UPDATE draft sent, please approve koon@gentoo.org 2005-04-10 09:43:09 0000 UPDATE sent monte@ohrt.com 2006-04-06 06:43:11 0000 Just a note, this is a misleading bullitin (and showing up high in google results): http://www.gentoo.org/security/en/glsa/glsa-200503-35.xml The vulnerability does not open attacks from remote users, it only allows someone with direct access to template files to execute PHP commands from within the template. It would be good for someone to change that wording, thanks. jaervosz@gentoo.org 2006-04-06 10:55:49 0000 tomk/php-bugs/auditors please advise wether this is remotely exploitable. tomk@gentoo.org 2006-04-06 11:20:25 0000 (In reply to comment #19) > tomk/php-bugs/auditors please advise wether this is remotely exploitable. > According to the first entry in: http://smarty.php.net/index_archive.php it's not remotely exploitable. You need local access to the smarty template files to be able bypass certain checks when template security is enabled. That being said, when such a template has been created by a local user then the vulnerable code would be run when accessed remotely via the webserver. I'm unsure as to the criteria used to determine whether that is defined as being locally or remotely exploitable. koon@gentoo.org 2006-04-07 13:40:17 0000 I defined it as remotely exploitable because smarty's "template security" feature is typically used to allow untrusted users to plug their own template in a PHP application (for example, a bulletin board that allows users to customize templates). The hole is that the "template security" feature can be bypassed to allow to execute arbitrary code while theorically this should not be possible for those users. In which case the hole is remote, because the attacker doesn't need to be a local user. I agree it's a little misleading to use the term "Remote attacker" everywhere, since the attack can only be remote if the application allows users to upload their own templates... falco@gentoo.org 2006-04-10 15:28:47 0000 > I defined it as remotely exploitable because smarty's "template security" > feature is typically used to allow untrusted users to plug their own template > in a PHP application (for example, a bulletin board that allows users to > customize templates). yes, but generally, such PHP interfaces are reserved with an authentication device (at least, i hope so). Consequently, the potential attackers are not totally "unknown". This is remote but reserved for known members of a group. Well i think this doens't worth any update and we could close it. taviso@gentoo.org 2006-04-22 06:53:35 0000 I think we can close this bug now, please REOPEN if anyone disagrees.