Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-13818 #2743

Closed
bh-e opened this issue Sep 5, 2018 · 5 comments
Closed

CVE-2018-13818 #2743

bh-e opened this issue Sep 5, 2018 · 5 comments

Comments

@bh-e
Copy link

bh-e commented Sep 5, 2018

Hello.

I couldn't find which change fixed CVE-2018-13818. Please help.

@stof
Copy link
Member

stof commented Sep 5, 2018

I don't know about this CVE, and Twig does not do anything with $_GET parameters by itself.

And the exploit https://www.exploit-db.com/exploits/44102/ linked on https://www.cvedetails.com/cve/CVE-2018-13818/ talks about accessing http://localhost/search?search_key={{ls}} to trigger the exploit. But this implies a website, not just Twig.

So I think this CVE was not tied to the right source. The issue was most probably in a different package (maybe using Twig among other things).

@stof
Copy link
Member

stof commented Sep 5, 2018

And the diff of 2.4.4 makes it even less likely that such thing got fixed: v2.4.3...v2.4.4

@bh-e
Copy link
Author

bh-e commented Sep 5, 2018

@stof , Have you attempted to reproduce https://www.exploit-db.com/exploits/44102/ .

@nicolas-grekas
Copy link
Contributor

nicolas-grekas commented Sep 5, 2018

Same as @stof, this looks like an invalid or at least incomplete report. @bh-e there is no way to reproduce this: Twig is not a web app so you cannot hit it. It needs a webapp to wrap it. It's the responsibility of the webapp to do it properly. If you have more details about this CVE, we would be happy to try a reproducer.

@bh-e
Copy link
Author

bh-e commented Sep 5, 2018

@nicolas-grekas , @stof . I have contacted the exploit author via twitter and his reply: https://mobile.twitter.com/jameel_nabbo/status/1032593354704515072?s=20

@fabpot fabpot closed this as completed Sep 5, 2018
adborden added a commit to GSA/open311-simple-crm that referenced this issue Mar 7, 2019
CVE is disputed and missing information. Twig discussion shows there was never
any fix to be made.
twigphp/Twig#2743
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants