search

ThinkUpLLC / ThinkUp

ThinkUp gives you insights into your social networking activity on Twitter, Facebook, Instagram, and beyond.
http://thinkup.com
GNU General Public License v3.0
3.3k stars 674 forks source link

Possible Path manipulation vulnerability #2289

Open enferas opened 3 years ago

enferas commented 3 years ago

Hello,

I would like to report for path manipulation vulnerability.

The path of the vulnrability:

File "Smarty.class.php" line 1714

function _read_file($filename)
    {
        if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) {
            $contents = '';
            while (!feof($fd)) {
                $contents .= fread($fd, 8192);
            }
            fclose($fd);
            // the source
            return $contents;
        } else {
            return false;
        }
    }

File "core.read-cache-file.php" 

line 43
// the source will be the returned value from _read_file
$params['results'] = $smarty->_read_file($_cache_file);
// line 51
$_contents = $params['results'];
// line 54
$_cache_info = unserialize(substr($_contents, $_info_start, $_info_len));
//line 73
// the pattern is array_keys here 
foreach (array_keys($_cache_info['template']) as $_template_dep) {
            $_params['resource_name'] = $_template_dep;
            // the source will pass to _fetch_resource_info function
            if (!$smarty->_fetch_resource_info($_params) || $_cache_info['timestamp'] < $_params['resource_timestamp']) {
                // template file has changed, regenerate cache
                return false;
            }
        }

File "Smarty.class.php" 

// line 1538 in function _fetch_resource_info 
 $_params = array('resource_name' => $params['resource_name']) ;
// line 1544
if ($this->_parse_resource_name($_params)) {..}
// line 1620 in function _parse_resource_name
// $params is $_params
$_resource_name_parts = explode(':', $params['resource_name'], 2);
// line 1632
$params['resource_type'] = $_resource_name_parts[0];
// line 1661
$_params = array('type' => $params['resource_type']);
// line 1663
// the source will be passed in $_params['type'] to the function smarty_core_load_resource_plugin
smarty_core_load_resource_plugin($_params, $this);

File "core.load_resource_plugin.php"

// line 44
// $params['type'] will be in $_plugin_file
$_plugin_file = $smarty->_get_plugin_filepath('resource', $params['type']);
// line 51
include_once($_plugin_file);
auyongcheemeng commented 3 years ago

Since #2285 (in 2016) Announcement ThinkUp App is basically shutdown and its code base unmaintained/discontinued

enferas commented 2 years ago

Thank you for your response.

Just for research goals, the CVE-2021-43674 is assigned.

UNSUPPORTED WHEN ASSIGNED ThinkUp 2.0-beta.10 is affected by a path manipulation vulnerability in Smarty.class.php.