Smarty3 network design defects/logical errors cause remote code execution vulnerabilities and repair

Brief description:

Smarty is a widely used front-end template framework in PHP. However, because Smarty3 introduces new features, in some cases, you can use feature combinations to directly execute arbitrary code remotely.

Detailed description:

Author of this vulnerability: cly, I just released it on behalf of you :)

Because Smarty3 introduces two features:
1. If the template file name accepted by the template path parameters of methods such as display and fetch starts with "string:" or "eval, smarty3 uses the subsequent string value as the template file content, recompile and execute it. Reference connection: http://www.smarty.net/docs/en/template.resources.tpl#templates.from.string
2. In the template language of smarty3, you can use {phpfunction ()} and other methods to directly execute php expressions in the smarty tag. However, smarty2 does not. Reference connection: http://www.smarty.net/docs/en/language.syntax.variables.tpl

Therefore, with the combination of the above two features, if you can control the template file name, you can execute any php expression.

Similarly, with the resource feature of smarty3, you can directly use the "file:" protocol to remotely include arbitrary files. The underlying layer uses the fopen function to open files. In the default php configuration, although remote_file_include is disabled, remote_file_open is allowed. With this feature, the long-standing RFI classic Vulnerability Type has become increasingly popular. :)
Proof of vulnerability: 1. If the following logic code exists during the code writing process, you can import the user input to the Code logic for retrieval:

$ Smarty-> display ($ _ REQUEST ['tpl']. ". tpl ");
2. You can specify specific parameters in the URL when accessing the script, such as "? Tpl = string: {phpinfo ()} "to run the phpinfo code.

 
 

Solution:

Remove all code that uses user input as Template Name for rendering. Use the whitelist method to restrict loading of only known tpl files.