Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible Path manipulation vulnerability #2289

Open
enferas opened this issue Nov 10, 2021 · 2 comments
Open

Possible Path manipulation vulnerability #2289

enferas opened this issue Nov 10, 2021 · 2 comments

Comments

@enferas
Copy link

enferas commented Nov 10, 2021

Hello,

I would like to report for path manipulation vulnerability.

The path of the vulnrability:

File "Smarty.class.php" line 1714

function _read_file($filename)
    {
        if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) {
            $contents = '';
            while (!feof($fd)) {
                $contents .= fread($fd, 8192);
            }
            fclose($fd);
            // the source
            return $contents;
        } else {
            return false;
        }
    }

File "core.read-cache-file.php"

line 43
// the source will be the returned value from _read_file
$params['results'] = $smarty->_read_file($_cache_file);
// line 51
$_contents = $params['results'];
// line 54
$_cache_info = unserialize(substr($_contents, $_info_start, $_info_len));
//line 73
// the pattern is array_keys here 
foreach (array_keys($_cache_info['template']) as $_template_dep) {
            $_params['resource_name'] = $_template_dep;
            // the source will pass to _fetch_resource_info function
            if (!$smarty->_fetch_resource_info($_params) || $_cache_info['timestamp'] < $_params['resource_timestamp']) {
                // template file has changed, regenerate cache
                return false;
            }
        }

File "Smarty.class.php"

// line 1538 in function _fetch_resource_info 
 $_params = array('resource_name' => $params['resource_name']) ;
// line 1544
if ($this->_parse_resource_name($_params)) {..}
// line 1620 in function _parse_resource_name
// $params is $_params
$_resource_name_parts = explode(':', $params['resource_name'], 2);
// line 1632
$params['resource_type'] = $_resource_name_parts[0];
// line 1661
$_params = array('type' => $params['resource_type']);
// line 1663
// the source will be passed in $_params['type'] to the function smarty_core_load_resource_plugin
smarty_core_load_resource_plugin($_params, $this);

File "core.load_resource_plugin.php"

// line 44
// $params['type'] will be in $_plugin_file
$_plugin_file = $smarty->_get_plugin_filepath('resource', $params['type']);
// line 51
include_once($_plugin_file);
@auyongcheemeng
Copy link

auyongcheemeng commented Nov 11, 2021
edited

Since #2285 (in 2016) Announcement ThinkUp App is basically shutdown and its code base unmaintained/discontinued

@enferas
Copy link
Author

enferas commented Dec 7, 2021

Thank you for your response.

Just for research goals, the CVE-2021-43674 is assigned.

** UNSUPPORTED WHEN ASSIGNED ** ThinkUp 2.0-beta.10 is affected by a path manipulation vulnerability in Smarty.class.php.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@auyongcheemeng @enferas