Possible Path manipulation vulnerability
enferas opened this issue · comments
Hello,
I would like to report for path manipulation vulnerability.
The path of the vulnrability:
File "Smarty.class.php" line 1714
function _read_file($filename)
{
if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) {
$contents = '';
while (!feof($fd)) {
$contents .= fread($fd, 8192);
}
fclose($fd);
// the source
return $contents;
} else {
return false;
}
}
File "core.read-cache-file.php"
line 43
// the source will be the returned value from _read_file
$params['results'] = $smarty->_read_file($_cache_file);
// line 51
$_contents = $params['results'];
// line 54
$_cache_info = unserialize(substr($_contents, $_info_start, $_info_len));
//line 73
// the pattern is array_keys here
foreach (array_keys($_cache_info['template']) as $_template_dep) {
$_params['resource_name'] = $_template_dep;
// the source will pass to _fetch_resource_info function
if (!$smarty->_fetch_resource_info($_params) || $_cache_info['timestamp'] < $_params['resource_timestamp']) {
// template file has changed, regenerate cache
return false;
}
}
File "Smarty.class.php"
// line 1538 in function _fetch_resource_info
$_params = array('resource_name' => $params['resource_name']) ;
// line 1544
if ($this->_parse_resource_name($_params)) {..}
// line 1620 in function _parse_resource_name
// $params is $_params
$_resource_name_parts = explode(':', $params['resource_name'], 2);
// line 1632
$params['resource_type'] = $_resource_name_parts[0];
// line 1661
$_params = array('type' => $params['resource_type']);
// line 1663
// the source will be passed in $_params['type'] to the function smarty_core_load_resource_plugin
smarty_core_load_resource_plugin($_params, $this);
File "core.load_resource_plugin.php"
// line 44
// $params['type'] will be in $_plugin_file
$_plugin_file = $smarty->_get_plugin_filepath('resource', $params['type']);
// line 51
include_once($_plugin_file);
Since #2285 (in 2016) Announcement ThinkUp App is basically shutdown and its code base unmaintained/discontinued
Thank you for your response.
Just for research goals, the CVE-2021-43674 is assigned.
** UNSUPPORTED WHEN ASSIGNED ** ThinkUp 2.0-beta.10 is affected by a path manipulation vulnerability in Smarty.class.php.