Posted: Fri Jun 02, 2006 7:45 pm
Template View is a good discussion of several template options and some various implementation options.
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
I would like to say I have received that information but I haven't received any emails from Roja through Sourceforge or anywhere else. There hasn't been anything posted on the Template Lite forums or bug report either.Roja wrote:As an update, I have provided working exploits for several security issues in Template-Lite to PanamaJack.
I'd like him to have the chance to update his library, so lets give him time to do so. We can discuss it further then.
I just wanted everyone to know I did take the time to respond, give details, and enough data that PJ can address the situation.
Your site is blocked from my work, hence me contacting you via email.AKA Panama Jack wrote:Since you have a forum account at http://forums.aatraders.com and we accept attachments in PMs you could always send it as a PM instead of hoping it gets to me via email.
AKA Panama Jack wrote:My Sourceforge email does work. I just sent email to myself using sourceforge and it came in without a problem.
You might want to test sending to it from a gmail account. It appears your mail server doesn't have the ability to resolve the DNS for gmail servers. Its a fairly large mail provider, and others may try to email you with issues from it.Error from email to PJ wrote:This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has been delayed:
akapanamajack@users.sourceforge.net
Message will be retried for 2 more day(s)
451-The mail server(s) for the domain may be temporarily unreachable, or
451-they may be permanently unreachable from this server. In the latter case,
451-you need to change the address or create an MX record for its domain
451-if it is supposed to be generally accessible from the Internet.
451 Talk to your mail administrator for details.
Because I've already done so via his forums, and via email. Further, he deserves the chance to both evaluate the issue, work on a solution, and reply in depth - just like I needed time to develop the test kit for him.Hockey wrote:Why doesn't Roja inform AKAPJ about whatever issues you are both talking about on these forums?
Thats your issue. This is entirely common in the security field.Hockey wrote:By keeping it secret...your making me more curious...
As you can see the security variables are not supported by Template Lite at this time but they may be added at a later date.Smarty features currently unsupported.
Template Lite offers most of the features of Smarty but there are a number of features that are currently not supported. Some of these features will eventually be supported in later releases. This isn't a comprehensive list of unsupported features.
Template Class Variables: $debug_tpl, $debugging_ctrl, $autoload_filters, $compile_check, $cache_handler_func, $cache_modified_check, $security, $secure_dir, $security_settings, $trusted_dir, $compiler_class, $request_vars_order, $request_use_auto_globals, $error_reporting, $compile_id, $use_sub_dirs, $default_resource_type
Code: Select all
$smarty->security = true;I don't know what circles of programmers you hang around with...outside of devnetwork.net but I believe that mentality is often refered to as: Security Through ObscurityThats your issue. This is entirely common in the security field.
Until they are, any admin that does not examine a template before installing it is at risk.AKA Panama Jack wrote:As you can see the security variables are not supported by Template Lite at this time but they may be added at a later date.
Template lite offers no protections for this issue. Thats not the same. Surely you see the difference.AKA Panama Jack wrote:Template Lite runs with the SAME settings as Smarty installed with the default settings.
Thats not why they added it. They added it because admins running games, like aatraders, will be installing complicated, large, substantial templates without examining every line of code in them. You offer no protection to those admins. Many of the user submitted templates in the latest released version of AATraders are full of php tags, which could contain serious security issues that admins cannot protect against, and don't examine before installing.AKA Panama Jack wrote:Now the reason they added the $security flag to Smarty was for sites that will be allowing people access to the template directory and ONLY the template directory so they can create and upload their own templates. It would prevent those people from executing PHP code they shouldn't. If you are going to have people rummaging around in your sites template directory that you don't trust then you should probably stick with Smarty until the $security flag is added to Template Lite.
Its not at all useless. I can install a template with the security setting on, and say definitively that the risks present in the tests I sent you are not present in Smarty. You offer no alternative.AKA Panama Jack wrote:If the same people managing the templates also have access to the web sites main directory then enabling the security features in Smarty is 100% totally useless. This is because they can just upload a PHP program and execute it instead.
Those were not the only issues present.AKA Panama Jack wrote:There is nothing anyone accessing web pages that use Template Lite can do to cause any kind of security problem.
No, its not. Its called the Full Disclosure debate.Hockey wrote:I don't know what circles of programmers you hang around with...outside of devnetwork.net but I believe that mentality is often refered to as: Security Through Obscurity
I'm not positive on OO, but the other three all do so. They have a private mailing list or a bugtracker where security bugs can be (and are regularly) set private to allow the fixes to be developed before the attackers see the description and start attacking in masse.Hockey wrote:Which open source projects do you refer to when you say this is common practice?
Linux, Mozilla, Open Office, PHP???
Its not a matter of needing more eyes to find a solution. The solution was INCLUDED in the problem description. But having more eyes can mean more attackers - before a solution is available.Hockey wrote:The more/sooner a security problem is propagated to the general community the better chance there is in finding a solid solution...as much as I respect AKAPJ (I'm an avid beginner of both AdoDB Lite and Template Lite) I'm sure he'd agree as should you...that 2 eyes are always better than one![]()