New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is version 2.6.31 impacted by CVE-2018-13982 ? #518

Closed
dfranco opened this Issue Dec 2, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@dfranco
Copy link

dfranco commented Dec 2, 2018

Hello,

I'm trying to find the information in the release notes, git, etc. but can't find it.

I'm using Smarty 2.6.31 and wondering if I need to upgrade to latest 3.1.x ?
Is 2.6.31 impacted by CVE-2018-13982 ?

Thanks for your help

@dfranco

This comment has been minimized.

Copy link

dfranco commented Dec 14, 2018

Hello,

Is there anyone who can answer my question ?

Thanks for any feedback

@msimion

This comment has been minimized.

Copy link

msimion commented Dec 18, 2018

Davide,

According to the link below, Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2018-13982

The wisest choice in my opinion would be to switch to 3.1.33.

@dfranco

This comment has been minimized.

Copy link

dfranco commented Dec 19, 2018

Hi @msimion ,
Thanks for your feedback.
I'm using latest release from branch Smart2, and Smart_Security PHP class does not exists.
So I'm still wondering if CVE-2018-13982 has any security impact on 2.6.31.
+1 about updating to 3.1.33, but it'd take so much time to adapt my code, that I wanted to avoid any changes if it's not mandatory

@artcs

This comment has been minimized.

Copy link

artcs commented Dec 19, 2018

According to the Debian Security Tracker this was introduced in Release 3.1.28. You can check for yourself if your version is affacted by trying a path traversal:

$Smarty = new Smarty;
$Smarty->enableSecurity();
$Smarty->display('eval:{fetch file="'.addslashes(getcwd()).'/templates/../../../../../etc/passwd"}');
@dfranco

This comment has been minimized.

Copy link

dfranco commented Dec 19, 2018

Hi @artcs

Running Smarty 2.6.31
Fatal error: Call to undefined method Smarty::enableSecurity() in script.php on line xx

If I'm not wrong, Smarty 2.6.31 is not impacted by this security issue.

Thought ?

@artcs

This comment has been minimized.

Copy link

artcs commented Dec 19, 2018

enableSecurity() is Smarty 3 only. In Smarty 2 you have to set $security and $secure_dir to activate the security functions (RTFM). If security isn't enabled one way or another you can fetch any file you like on your server, which isn't a problem as long as you don't allow untrustworthy people to upload files to your templates dir.

@dfranco

This comment has been minimized.

Copy link

dfranco commented Dec 20, 2018

Hi @artcs

Security is set to FALSE (which is by default) and I don't allow anyone to upload files to templates dir.
Based on that, I consider Smarty 2.6.31 safe enough to no switch (yet) to version 3.

Thanks for your help

@dfranco dfranco closed this Dec 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment