Templates - hints
Moderator: General Moderators
As an update, I have provided working exploits for several security issues in Template-Lite to PanamaJack.
I'd like him to have the chance to update his library, so lets give him time to do so. We can discuss it further then.
I just wanted everyone to know I did take the time to respond, give details, and enough data that PJ can address the situation.
I'd like him to have the chance to update his library, so lets give him time to do so. We can discuss it further then.
I just wanted everyone to know I did take the time to respond, give details, and enough data that PJ can address the situation.
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
I would like to say I have received that information but I haven't received any emails from Roja through Sourceforge or anywhere else. There hasn't been anything posted on the Template Lite forums or bug report either.Roja wrote:As an update, I have provided working exploits for several security issues in Template-Lite to PanamaJack.
I'd like him to have the chance to update his library, so lets give him time to do so. We can discuss it further then.
I just wanted everyone to know I did take the time to respond, give details, and enough data that PJ can address the situation.
Maybe he will send the information to me later today. Who knows. So far my email box is empty.
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
Since you have a forum account at http://forums.aatraders.com and we accept attachments in PMs you could always send it as a PM instead of hoping it gets to me via email.
Your site is blocked from my work, hence me contacting you via email.AKA Panama Jack wrote:Since you have a forum account at http://forums.aatraders.com and we accept attachments in PMs you could always send it as a PM instead of hoping it gets to me via email.
Is your sourceforge email not the correct contact method (as listed on your Tlite project)?
In any case, I'll send it this evening to you on your forums. You might want to make mention of your preferred contact method on your sourceforge page for anyone else trying to contact you via email with security issues (and not having their email received).
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
AKA Panama Jack wrote:My Sourceforge email does work. I just sent email to myself using sourceforge and it came in without a problem.
You might want to test sending to it from a gmail account. It appears your mail server doesn't have the ability to resolve the DNS for gmail servers. Its a fairly large mail provider, and others may try to email you with issues from it.Error from email to PJ wrote:This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has been delayed:
akapanamajack@users.sourceforge.net
Message will be retried for 2 more day(s)
451-The mail server(s) for the domain may be temporarily unreachable, or
451-they may be permanently unreachable from this server. In the latter case,
451-you need to change the address or create an MX record for its domain
451-if it is supposed to be generally accessible from the Internet.
451 Talk to your mail administrator for details.
In the meantime, I took the extra step (per your request) of sending the attachment to you in your PM's on your game forum last night.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
I have an idea
Why doesn't Roja inform AKAPJ about whatever issues you are both talking about on these forums?
Seeing how your both frequent visitors...and email doesn't seem to be working...
Also...you possibly get a community perspective instead of just AKAPJ???
By keeping it secret...your making me more curious...
Like that girl in high school, who doesn't like you...which makes you want her even more type syndrome
Are these issues inherent to all template engines? Or just Smarty-Lite?
Are they the issues which AKAPJ addresses shortly before this thread?
Cheers
Why doesn't Roja inform AKAPJ about whatever issues you are both talking about on these forums?
Seeing how your both frequent visitors...and email doesn't seem to be working...
Also...you possibly get a community perspective instead of just AKAPJ???
By keeping it secret...your making me more curious...
Like that girl in high school, who doesn't like you...which makes you want her even more type syndrome
Are these issues inherent to all template engines? Or just Smarty-Lite?
Are they the issues which AKAPJ addresses shortly before this thread?
Cheers
Because I've already done so via his forums, and via email. Further, he deserves the chance to both evaluate the issue, work on a solution, and reply in depth - just like I needed time to develop the test kit for him.Hockey wrote:Why doesn't Roja inform AKAPJ about whatever issues you are both talking about on these forums?
Talking about it openly before he has a chance to dig in isn't fair to him, and will result in poor discussions. Be patient.
Thats your issue. This is entirely common in the security field.Hockey wrote:By keeping it secret...your making me more curious...
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
Well, Roja finally sent me the file.
Oh, the issue you are having with GMail is not related to my email address or anything I have setup. It issue is with GMail itself and how GMail is apparently identifying itself in the email headers. Sourceforge is apparently KICKING the email. Probably because something in the email headers isn't resolving properly. Some email systems will kick email as spam if the headers do not match the sending server or if the headers appear altered.
You might want to try using a different email service other than GMail since it is still classified as BETA after all these many months. Your mail may not get to where it is supposed to go and you might not get some mail you should and you would never know.
But anyway back to Template Lite and the non-existent security hole.
The following is from the Template Lite documentation.
Template Lite runs with the SAME settings as Smarty installed with the default settings.
With the example tpl file that Roja sent he enabled the security flag in Smarty. Which he knows is not supported by Template Lite as he mentioned it was not supported in the test program he sent me.
As I have said and is indicated in the documentation support for the $security variable isn't in template lite at this time. If you completely remove this setting from Roja's test then Smarty and Template Lite operate EXACTLY the same way. They both process and display the exact same information.
Now the reason they added the $security flag to Smarty was for sites that will be allowing people access to the template directory and ONLY the template directory so they can create and upload their own templates. It would prevent those people from executing PHP code they shouldn't. If you are going to have people rummaging around in your sites template directory that you don't trust then you should probably stick with Smarty until the $security flag is added to Template Lite.
If the same people managing the templates also have access to the web sites main directory then enabling the security features in Smarty is 100% totally useless. This is because they can just upload a PHP program and execute it instead.
In other words there really isn't a security hole in Template Lite unless you consider the default configuration that Smarty installs with a security hole. If so then you might want to jump all over them as well on their forums.
As I said in the documentation some of these things will be added in the future.
To be blunt...
Template Lite is just as secure, if not more so, as anything YOU write and install on your web site. Because it will only execute what you tell it to execute just like any PHP program you write will only execute what you wrote it to execute.
There is nothing anyone accessing web pages that use Template Lite can do to cause any kind of security problem. PERIOD.
Oh, the issue you are having with GMail is not related to my email address or anything I have setup. It issue is with GMail itself and how GMail is apparently identifying itself in the email headers. Sourceforge is apparently KICKING the email. Probably because something in the email headers isn't resolving properly. Some email systems will kick email as spam if the headers do not match the sending server or if the headers appear altered.
You might want to try using a different email service other than GMail since it is still classified as BETA after all these many months. Your mail may not get to where it is supposed to go and you might not get some mail you should and you would never know.
But anyway back to Template Lite and the non-existent security hole.
The following is from the Template Lite documentation.
As you can see the security variables are not supported by Template Lite at this time but they may be added at a later date.Smarty features currently unsupported.
Template Lite offers most of the features of Smarty but there are a number of features that are currently not supported. Some of these features will eventually be supported in later releases. This isn't a comprehensive list of unsupported features.
Template Class Variables: $debug_tpl, $debugging_ctrl, $autoload_filters, $compile_check, $cache_handler_func, $cache_modified_check, $security, $secure_dir, $security_settings, $trusted_dir, $compiler_class, $request_vars_order, $request_use_auto_globals, $error_reporting, $compile_id, $use_sub_dirs, $default_resource_type
Template Lite runs with the SAME settings as Smarty installed with the default settings.
With the example tpl file that Roja sent he enabled the security flag in Smarty. Which he knows is not supported by Template Lite as he mentioned it was not supported in the test program he sent me.
Code: Select all
$smarty->security = true;Now the reason they added the $security flag to Smarty was for sites that will be allowing people access to the template directory and ONLY the template directory so they can create and upload their own templates. It would prevent those people from executing PHP code they shouldn't. If you are going to have people rummaging around in your sites template directory that you don't trust then you should probably stick with Smarty until the $security flag is added to Template Lite.
If the same people managing the templates also have access to the web sites main directory then enabling the security features in Smarty is 100% totally useless. This is because they can just upload a PHP program and execute it instead.
In other words there really isn't a security hole in Template Lite unless you consider the default configuration that Smarty installs with a security hole. If so then you might want to jump all over them as well on their forums.
As I said in the documentation some of these things will be added in the future.
To be blunt...
Template Lite is just as secure, if not more so, as anything YOU write and install on your web site. Because it will only execute what you tell it to execute just like any PHP program you write will only execute what you wrote it to execute.
There is nothing anyone accessing web pages that use Template Lite can do to cause any kind of security problem. PERIOD.
Last edited by AKA Panama Jack on Wed Jun 07, 2006 9:43 pm, edited 2 times in total.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
I don't know what circles of programmers you hang around with...outside of devnetwork.net but I believe that mentality is often refered to as: Security Through ObscurityThats your issue. This is entirely common in the security field.
Keeping a bug secret until the author has a chance to repsond...I can't believe you of all people...Mr. Open Source himself just said that
Which open source projects do you refer to when you say this is common practice?
Linux, Mozilla, Open Office, PHP???
I'm curious...cause I thought that mentality was what open source was trying to stifle, by virtue of the fact it's "open" to the public for use, scrutiny, modification, etc...
I'd like to know which projects prefer to get bug/security reports before the general public, as I'd like to try and change their way of thinking...
About the only time that makes sense...is in the authors defense (ie: is it really a problem or should I get the original authors response first so I don't look silly making invalid claims?)
The more/sooner a security problem is propagated to the general community the better chance there is in finding a solid solution...as much as I respect AKAPJ (I'm an avid beginner of both AdoDB Lite and Template Lite) I'm sure he'd agree as should you...that 2 eyes are always better than one
Unless your a cyclops...in which case...your either a pirate or some beast with special powers...making you the exception
Cheers
Until they are, any admin that does not examine a template before installing it is at risk.AKA Panama Jack wrote:As you can see the security variables are not supported by Template Lite at this time but they may be added at a later date.
With Smarty, an admin can set the security flag, and can be safe doing so. Template-lite offers no such protection, leaving admins open to serious compromise. That you don't consider that a security flaw is precisely why I won't use your library.
Template lite offers no protections for this issue. Thats not the same. Surely you see the difference.AKA Panama Jack wrote:Template Lite runs with the SAME settings as Smarty installed with the default settings.
Thats not why they added it. They added it because admins running games, like aatraders, will be installing complicated, large, substantial templates without examining every line of code in them. You offer no protection to those admins. Many of the user submitted templates in the latest released version of AATraders are full of php tags, which could contain serious security issues that admins cannot protect against, and don't examine before installing.AKA Panama Jack wrote:Now the reason they added the $security flag to Smarty was for sites that will be allowing people access to the template directory and ONLY the template directory so they can create and upload their own templates. It would prevent those people from executing PHP code they shouldn't. If you are going to have people rummaging around in your sites template directory that you don't trust then you should probably stick with Smarty until the $security flag is added to Template Lite.
Its not at all useless. I can install a template with the security setting on, and say definitively that the risks present in the tests I sent you are not present in Smarty. You offer no alternative.AKA Panama Jack wrote:If the same people managing the templates also have access to the web sites main directory then enabling the security features in Smarty is 100% totally useless. This is because they can just upload a PHP program and execute it instead.
Or put more clearly your library requires perfect vigilence, and full examination of every template installed. Smarty offers a single variable that removes those risks appropriately. Which makes sense?
Those were not the only issues present.AKA Panama Jack wrote:There is nothing anyone accessing web pages that use Template Lite can do to cause any kind of security problem.
No, its not. Its called the Full Disclosure debate.Hockey wrote:I don't know what circles of programmers you hang around with...outside of devnetwork.net but I believe that mentality is often refered to as: Security Through Obscurity
Security is about keeping a balance between the attackers and the defenders, and as one of the defenders, with my own applications, I want a chance to patch my app and distribute that patch before attackers start taking down every site running my apps.
I'm not positive on OO, but the other three all do so. They have a private mailing list or a bugtracker where security bugs can be (and are regularly) set private to allow the fixes to be developed before the attackers see the description and start attacking in masse.Hockey wrote:Which open source projects do you refer to when you say this is common practice?
Linux, Mozilla, Open Office, PHP???
Read a few blog posts and discussions about full disclosure.. here's a good one:
http://blog.mattmecham.com/archives/200 ... isclo.html
Its not a matter of needing more eyes to find a solution. The solution was INCLUDED in the problem description. But having more eyes can mean more attackers - before a solution is available.Hockey wrote:The more/sooner a security problem is propagated to the general community the better chance there is in finding a solid solution...as much as I respect AKAPJ (I'm an avid beginner of both AdoDB Lite and Template Lite) I'm sure he'd agree as should you...that 2 eyes are always better than one![]()
Full disclosure is bad, and thats a whole different topic - start a new thread for it.
That said, after this response to a simple to fix, obvious security flaw, maybe Full Disclosure and working exploit code IS a better solution. Let the dense defensive authors defend their scripts on dozens of sites against working exploits with excuses. I suspect it might get a different result.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
OK, from an end users standpoint, one who has sole and total control of the templates, server and code filling the templates, what are my risks? I can understand the potential for security concerns when using an application that allows anyone to load a template that could potentially execute code. But if that is not going to happen (because I am not going to do that), are there any security risks for me?
I know, I know, it's all about me. It's hard to be the center of the universe, but I give it my all.
I know, I know, it's all about me. It's hard to be the center of the universe, but I give it my all.
