Closed tomholub closed 4 years ago
I'm using a very old 1.* version of pico and have not used composer. I found my twig version in:
/vendor/twig/twig/lib/Twig/Environment.php
listed as 1.34.4
I downloaded and set up in a development area the most recent stable version of pico yesterday (2.0.4) and it appears to contain twig version 1.36.0.
Am I reading this correctly that the vulnerability was introduced in twig 1.42.3 which I would have if I used composer to update this vendor package? Are there vulnerabilities in my older versions I don't know about? exploit.db is blocked here at work, can you describe how this exploit would work?
The old 1. version had 5 vulnerabilities identified, and the above vulnerability still showed up after I upgraded to latest 2. and re-ran the vulnerability checks.
On my end, I don't know. I'm just posting here what Snyk screams at me about. I'm not familiar with Twig releases, hopefully Pico maintainers can have a look.
Vulnerability details:
# Exploit Title: Twig <2.4.4 Server side template injection
# Date: 02/15/2018
# Exploit Author: JameelNabbo
# Author website: www.jameelnabbo.com
# Vendor Homepage: https://twig.symfony.com
# Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation
# Version: < 2.4.4
# Tested on: MAC OSX
1.Description:
Twig is a modern php template engine which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.
Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D> Output: 16
2. POC:
http://localhost/search?search_key={{4*4}}
OUTPUT: 4
http://localhost/search?search_key={{ls}}
OUTPUT: list of files/directories etc….
I believe this is not a concern because as far as I am aware stock pico does not provide any source of injection. ie: there is no search provided or other parameter passing method? At least in my simple site I don't see any way for this to be exploited at all. However, there are plugins which provide additional functionality and which may open this possibility. Perhaps devs can confirm?
Very roughly that is my reading also. Looking at the Pico source, there is urlParamFunction
function exposed as url_param
in the templates? If someone uses that, they may be vulnerable. I'm not a PHP dev so as you say this would be for the devs to look into.
I'm not sure how this is supposed to be exploited in general; the exploit description doesn't provide any actual Twig or PHP code - or am I missing something? Due to this I can only guess... Creating a test template with the following code (i.e. passing a URL parameter and explicitly not filtering it)
Trying to exploit {{ url_param('foo', 'unsafe_raw') }}
and requesting http://localhost/pico/?foo=%7B%7B4*4%7D%7D returns the URL parameter as string (i.e. as expected)
Trying to exploit {{4*4}}
Since I don't understand how this exploit is supposed to work, I can't really judge whether plugins might be exploitable. I even tried creating a very simple Pico plugin passing both [ 'params' => $_GET ]
({{ params["foo"] }}
) and [ 'foo' => $_GET['foo'] ]
({{ foo }}
) unchanged - still nothing, the string is printed without interpretation.
Testing with Twig 1.42.3.
Also see twigphp/Twig#2743
This is a false warning/exploit.
https://app.snyk.io/vuln/SNYK-PHP-TWIGTWIG-72239