report - twig vulnerability - server side template injection

[tomholub]

https://app.snyk.io/vuln/SNYK-PHP-TWIGTWIG-72239

[in8sworld]

I'm using a very old 1.* version of pico and have not used composer. I found my twig version in: /vendor/twig/twig/lib/Twig/Environment.php listed as 1.34.4 I downloaded and set up in a development area the most recent stable version of pico yesterday (2.0.4) and it appears to contain twig version 1.36.0. Am I reading this correctly that the vulnerability was introduced in twig 1.42.3 which I would have if I used composer to update this vendor package? Are there vulnerabilities in my older versions I don't know about? exploit.db is blocked here at work, can you describe how this exploit would work?

[tomholub]

The old 1. version had 5 vulnerabilities identified, and the above vulnerability still showed up after I upgraded to latest 2. and re-ran the vulnerability checks.

On my end, I don't know. I'm just posting here what Snyk screams at me about. I'm not familiar with Twig releases, hopefully Pico maintainers can have a look.

[tomholub]

Vulnerability details:
# Exploit Title: Twig <2.4.4 Server side template injection 
# Date: 02/15/2018
# Exploit Author: JameelNabbo
# Author website: www.jameelnabbo.com
# Vendor Homepage: https://twig.symfony.com 
# Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation
# Version: < 2.4.4
# Tested on: MAC OSX

1.Description:
Twig is a modern php template engine  which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.

Example: by injecting this in a search param  http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D>         Output: 16

2. POC:
http://localhost/search?search_key={{4*4}} 
OUTPUT: 4 

http://localhost/search?search_key={{ls}} 
OUTPUT: list of files/directories etc….

[in8sworld]

I believe this is not a concern because as far as I am aware stock pico does not provide any source of injection. ie: there is no search provided or other parameter passing method? At least in my simple site I don't see any way for this to be exploited at all. However, there are plugins which provide additional functionality and which may open this possibility. Perhaps devs can confirm?

[tomholub]

Very roughly that is my reading also. Looking at the Pico source, there is urlParamFunction function exposed as url_param in the templates? If someone uses that, they may be vulnerable. I'm not a PHP dev so as you say this would be for the devs to look into.

[PhrozenByte]

I'm not sure how this is supposed to be exploited in general; the exploit description doesn't provide any actual Twig or PHP code - or am I missing something? Due to this I can only guess... Creating a test template with the following code (i.e. passing a URL parameter and explicitly not filtering it)

Trying to exploit {{ url_param('foo', 'unsafe_raw') }}

and requesting http://localhost/pico/?foo=%7B%7B4*4%7D%7D returns the URL parameter as string (i.e. as expected)

Trying to exploit {{4*4}}

Since I don't understand how this exploit is supposed to work, I can't really judge whether plugins might be exploitable. I even tried creating a very simple Pico plugin passing both [ 'params' => $_GET ] ({{ params["foo"] }}) and [ 'foo' => $_GET['foo'] ] ({{ foo }}) unchanged - still nothing, the string is printed without interpretation.

Testing with Twig 1.42.3.

Also see twigphp/Twig#2743

This is a false warning/exploit.