Templates - hints

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Everah wrote:OK, from an end users standpoint, one who has sole and total control of the templates, server and code filling the templates, what are my risks? I can understand the potential for security concerns when using an application that allows anyone to load a template that could potentially execute code. But if that is not going to happen (because I am not going to do that), are there any security risks for me?

I know, I know, it's all about me. It's hard to be the center of the universe, but I give it my all. :wink:
Absolutely no risk at all. :)

The only risk would be if you allow someone ftp access to ONLY THE TEMPLATE DIRECTORY. And to be blunt, if someone has access to your template directory they probably have access to the web sites directory as well and they will upload a PHP program to do any dirty work instead of taking time to download a template, alter it and reupload it.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Roja wrote:
AKA Panama Jack wrote:As you can see the security variables are not supported by Template Lite at this time but they may be added at a later date.
Until they are, any admin that does not examine a template before installing it is at risk.

With Smarty, an admin can set the security flag, and can be safe doing so. Template-lite offers no such protection, leaving admins open to serious compromise. That you don't consider that a security flaw is precisely why I won't use your library.
By the same logic you are using here a person should examine line by line any PHP program they install on their server to make sure the author hasn't included something that would open their server to a security risk.

So I have to ask...

Are you examining line by line every PHP program or PHP package before you have installed it on any server? If you answer no then, by your logic, you have opened yourself up to all kinds of security problems.

Anyone with a security background would know that PHP programs pose a bigger security problem because most people CAN'T spend the time going through thousands of lines of code looking for a potential security problem before they install the package.
Roja wrote:
AKA Panama Jack wrote:Template Lite runs with the SAME settings as Smarty installed with the default settings.
Template lite offers no protections for this issue. Thats not the same. Surely you see the difference.
Yes it is the same and you should see that. I have looked at many different packages that use Smarty so I can test compatability. I have found only a couple of them that actually enable the security flag. The most of PHP program packages that I have checked that use Smarty DO NOT enable any of the security features Smarty offers.
Roja wrote:
AKA Panama Jack wrote:Now the reason they added the $security flag to Smarty was for sites that will be allowing people access to the template directory and ONLY the template directory so they can create and upload their own templates. It would prevent those people from executing PHP code they shouldn't. If you are going to have people rummaging around in your sites template directory that you don't trust then you should probably stick with Smarty until the $security flag is added to Template Lite.
Thats not why they added it. They added it because admins running games, like aatraders, will be installing complicated, large, substantial templates without examining every line of code in them. You offer no protection to those admins. Many of the user submitted templates in the latest released version of AATraders are full of php tags, which could contain serious security issues that admins cannot protect against, and don't examine before installing.
Now that is just a try at an indirect slam of another programming project I work on. You should be ashamed of yourself for being so petty.

If a person is that paranoid about installing a user created template then they should be MORE paranoid about installing a large PHP program package. Why would an admin be more scared of installing a template package than installing a PHP program package? That one definately eludes me.

And I do not know where you are getting your information about user submitted templates for AAtraders because there AREN'T any for download that I know about. The only extra templates were two low bandwidth templates that WE created and offered for download as replacements for the high graphic templates. You might want to research your claims before making them in the future.
Roja wrote:
AKA Panama Jack wrote:If the same people managing the templates also have access to the web sites main directory then enabling the security features in Smarty is 100% totally useless. This is because they can just upload a PHP program and execute it instead.
Its not at all useless. I can install a template with the security setting on, and say definitively that the risks present in the tests I sent you are not present in Smarty. You offer no alternative.

Or put more clearly your library requires perfect vigilence, and full examination of every template installed. Smarty offers a single variable that removes those risks appropriately. Which makes sense?
As a security professional I don't see how you can say that with a straight face.
Roja wrote:
AKA Panama Jack wrote:There is nothing anyone accessing web pages that use Template Lite can do to cause any kind of security problem.
Those were not the only issues present.
If there are others then why didn't you present them? I would have thought you would have presented information to me about all of the problems you thought you found at the same time instead of dribbling them out slowly.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

No, its not. Its called the Full Disclosure debate.
I still say in principle...it's Security through obscurity...

So your telling me that companies like Secunia wait for the developers to discover/confirm a bug and apply a fix before they post well known exploits...???

Although your approach is respectable and I as a developer would appreciate being informed before publication of a bug/flaw, etc...

Indeed...that is security through obscruity...hiding details to prevent attacks...

Full Disclosure debate might be the politically correct term, but by no means accurate...

Cheers :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Hockey wrote:I still say in principle...it's Security through obscurity...
There are two main uses for Security through Obscurity. The first is using obscurity as a component of a security system where security of the system relies, in full or in part, on obscurity. The second is to include obscurity as an addition to Defense in Depth, but not relying on it as an actual security measure.

The first is generally discredited on some levels of security, but is quite common on other levels -- for example passwords are a form of Security through Obscurity. The second is generally seen as neutral to slightly effective, the danger being that on some level there is reliance on obscurity.

As ever with security -- lots of hard work, no easy answers.
Last edited by Christopher on Thu Jun 08, 2006 1:17 am, edited 1 time in total.
(#10850)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

AKA Panama Jack wrote:
Everah wrote:OK, from an end users standpoint, one who has sole and total control of the templates, server and code filling the templates, what are my risks? I can understand the potential for security concerns when using an application that allows anyone to load a template that could potentially execute code. But if that is not going to happen (because I am not going to do that), are there any security risks for me?

I know, I know, it's all about me. It's hard to be the center of the universe, but I give it my all. :wink:
Absolutely no risk at all. :)

The only risk would be if you allow someone ftp access to ONLY THE TEMPLATE DIRECTORY. And to be blunt, if someone has access to your template directory they probably have access to the web sites directory as well and they will upload a PHP program to do any dirty work instead of taking time to download a template, alter it and reupload it.
Cool. I had hoped that was the case. I could see the potential for issues when allowing PHP code to be executed inside of a template, but if I am the only one that is uploading code and I am the only one with access to my server (I know it sounds naive to say I am the only one to access the server, but for this conversation I think it is fair) then it would make sense to say that if there were any security issues it would be on me and my code development, not the apps that I use.

Thanks AKAPJ. And to Roja and hockey for a great debate (aside from the heated tones of the posts this is actually a very entertaining and educational thread).
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Everah wrote:Thanks AKAPJ. And to Roja and hockey for a great debate (aside from the heated tones of the posts this is actually a very entertaining and educational thread).
No problem. :)

When someone claims a security hole in a web application most people assume that it is a hole where people accessing through the web page can exploit it and that cannot happen using Template Lite.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I'm selfish too :).

The risk:

Someone will upload templates containing malicious PHP code embedded in the template file.

The solution:

Disable PHP code in all templates, and enforce the Smarty tag language.

The covering mechanism:

Set the Smarty $security variable or flag to TRUE.

The question of whether this is a security flaw or not is interesting, but I'll have to go with not. It's not a flaw. It's clearly documented, and it's common practice in template engines. It still remains the default setting even in Smarty. It's perceived as a security flaw within the context of unreviewed templates being installed which are created by external users. Now being honest, it can be perceived as a flaw if it claimed to be a Smarty clone (with all features). In this case, the missing feature is documented - so that reason doesn't quite hold.

If you have no external users or potentially untrustworthy folk whose templates you install (distinct from the developers, hopefully!) - then there is no risk. Presumably you are not adding malicious PHP code to your own templates in an effort to hack your own server? :) The security protection is a very good feature, especially if you support custom templates. Or have designers working for you with access to a template directry (and only the tpl directory) who shouldn't be adding PHP in any case. Or for other reasons - but it's an additional measure covering a specific risk that most people will never be exposed to.

Personally I don't use the security setting in my own open source game. It was suggested lots of times, but it's pointless. We don't currently support custom templates (yet), we don't add PHP in Smarty templates, and we presume that if someone can mess with a user's templates then they have already gotten into the webroot and can do whatever they wish anyway.

It's a missing feature (documented), not a flaw. If it were a flaw, we'd be red flagging Savant and every other pure PHP based template engine...
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Good to get this "issue" explained. I was thinking about trying Template Lite for my project and reading about "some yet undisclosed" security issue almost made me doubt. As I will definately not let other users mess with templates, it'll be safe for me to use, as it seems. At least, I'm not planning to hack my own server at the moment :)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I say wait a while... It hasn't been confirmed this was the sole issue noted.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Quick hits responses in general..

Hockey: Security through obscurity is an entirely different topic. Yes, major security firms do follow responsible disclosure. Bruce Schneier's take was right on - its not about hiding the vulnerability (that would be security through obscurity) its about reducing the potential damage by minimizing the time-to-patch. ( http://www.schneier.com/crypto-gram-0203.html#2 ), but once again, this is off-topic, and if you would like to start a new thread about disclosure, feel free, its a HUGE discussion. It will easily take dozens of replies to dig into.

PJ: Whether you feel its a risk or not doesn't change the facts. Given a template with embedded php tags (and the ones you currently offer for aatrade contain them), an admin using template-lite has two choices: Examine the entire template for risks, or accept the risk. With smarty, there is a third choice: Turn on security, and you are safe from that risk. That is why *I* feel your library isn't appropriate for BNT, and won't endorse it for situations where admins routinely do not examine templates line-by-line.

The difference between *template* code and *php* code - especially with these engines - should be night and day in terms of risk. Smarty recognized that, and added those protections. It baffles me that its not a concern to more people.

I stand by my statement. Its a security flaw. Can a template do more than present output? YES. Thats broken. We preach on these forums about the importance of filtering data, and yet here, people are saying its perfectly acceptable to have data (templates) that performs actions, and saying "hey, filter that" isn't a security issue?

Madness, foolishness, and arrogance.

I've said my peace, and its a no-brainer to me. I'm not using a library that requires blind faith, or perfect vigilence for template code. I'll use a library that recognizes the danger, and puts controls in place to manage that risk.

If you disagree, if you feel its safe, if you feel thats a reasonable risk, thats your choice.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I stand by my statement. Its a security flaw. Can a template do more than present output? YES. Thats broken. We preach on these forums about the importance of filtering data, and yet here, people are saying its perfectly acceptable to have data (templates) that performs actions, and saying "hey, filter that" isn't a security issue?
It's a flaw if used within a specific context. Outside that context it is not a flaw. Since the risk is context based, the flaw lies not with the Developer, but with the user who after reading the documentation has determined to allow external sources include templates within their application.

I see where you are coming from, but any argument for templates applies equally to any other file. If a user chooses to upload a file, then it carries the risk of being malicious. But you can't screen all PHP files - we assume the developers already have, and if a flaw occurs that they will patch it quickly. When we use plugins, do we screen them too? Does that make an application which accepts third-party plugins inherently flawed? I don't think so - otherwise there's a lot of flawed PHP apps out there.

It's a non-existent feature - not a flaw. When I develop QS as a game, and add a plugin facility, I will refuse to be held responsible for issues arising with plugins users install from other people. Just as I'd expect the developer of a template library which has a documented list of missing features which allow PHP in templates to refuse responsibility. Users are free not to use the library if the feature is a requirement...
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I stand by my statement. Its a security flaw. Can a template do more than present output? YES. Thats broken. We preach on these forums about the importance of filtering data, and yet here, people are saying its perfectly acceptable to have data (templates) that performs actions, and saying "hey, filter that" isn't a security issue?
It's not a security flaw...and if it is...it's an application flaw not a Smarty Lite flaw...

Myself and it seems most others all agree it's not a security flaw, as we don't allow third parties to upload templates...

In which case, that functionality would be useless and add bloat for no reason...

Runtime protection strategies should not be used as a substitute for eliminating the source of the vulnerability...

If you really need to know templates are secure, have them pass through a upload script which parses them and performs a security lint check...that would be solving the issue correctly, although 10 times more difficult than preventing any PHP code from executing.

1) Semantic analysis would be way more accurate and flexible than out-right banning PHP...
2) Having secured the template at upload you avoid the unessecary overhead or runtime security checks - as minimum as they might be...

For those reasons, your claim is incorrect as it's clearly outside the domain of a template engine, but rather a hack that found itself inside template engines out of necessity, likely due to Smarty's popularity...
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I stand by my statement. Its a security flaw. Can a template do more than present output? YES. Thats broken. We preach on these forums about the importance of filtering data, and yet here, people are saying its perfectly acceptable to have data (templates) that performs actions, and saying "hey, filter that" isn't a security issue?
I don't think I would call it a flaw. It is clearly described in the TL docs that the $security feature is not supported. Essentially, PJ has posted an 'Enter at your own risk' warning. If a user of the app, knowing the potential for security vulnerabilities, still chooses to allow users access to upload executable templates to their server in plain sight of the fact that the app says that protecting against it is not supported by the app, then that is on the user of the app.

Can the templates execute code? Yes. But users that who are allowing people to upload code-laiden templates to their server don't have to use the app. They can use Smarty for their sites. For everyone else, it seems like TL is still a viable, clean and secure application.

I should also qualify my statements here by saying that I am in no way a security expert. I like to code and I like to make apps and site for people. So I may be talking out of my rear here. But it just seems that if you are managing the the server, the codebase, the templates and the access, and you are the only one hitting the server from inside of the server, that the risks associated with executable code in the templates is mitigated if not eliminated.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Can the templates execute code? Yes. But users that who are allowing people to upload code-laiden templates to their server don't have to use the app. They can use Smarty for their sites. For everyone else, it seems like TL is still a viable, clean and secure application.
Like I said, outside the domain of a template engine, specifically that of template lite... :)

I like TL because it's increase in performance/footprint (at least indicated by AKAPJ - I haven't tested myself but i'll take his word for it :P )

By including a bunch of runtime checks, your not only adding bloat (which in most cases it would seem is not required) but your also fixing a problem at facevalue instead of *really* tackling the issue at the root.

Cheers :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Roja wrote:PJ: Whether you feel its a risk or not doesn't change the facts. Given a template with embedded php tags (and the ones you currently offer for aatrade contain them), an admin using template-lite has two choices: Examine the entire template for risks, or accept the risk. With smarty, there is a third choice: Turn on security, and you are safe from that risk. That is why *I* feel your library isn't appropriate for BNT, and won't endorse it for situations where admins routinely do not examine templates line-by-line.
I think the flaw in this logic is that in your "third choice" for both libraries requires both Admin awareness and an Admin action. So an Admin unaware of the danger would have the same risk with either library. And an Admin aware of the problem would have a solution with either library (In both cases the recommendation is the same: install Smarty and set security=true). I think AKA Panama Jack agrees with you on the point that his library is currently not appropriate for cases where you want security=true -- so I don't believe there is an actual disagreement.
(#10850)
Post Reply