[VIM] Lifetype "XSS" issue might be file inclusion?

George A. Theall theall at tenablesecurity.com
Mon Apr 17 22:31:07 EDT 2006 

> Lifetype has source available, but a grep-style check didn't find
> proof right away.
> 
> - op paramater is "Template" which suggests use of templates, which
>   are frequently files...
> 
> - attacker uses XSS manipulation in a Template op
> 
> - and even with the XSS manipulation, you get full path disclosure
> 
> 
> So - this could be an application-controlled XSS/full path disclosure
> ("hey, I couldn't find the template using this filename: [XYZ]") or
> maybe it's a PHP-level inclusion/path traversal error by actually
> trying to access the file and failing.

Here's what I see (minus HTML formatting) when I run an exploit against 
1.0.3:

                              ----  snip, snip, snip ----
Exception message: Smarty error: unable to read resource: 
"standard/[XSS_here].template"
Error code: 512
-- Backtrace --
/var/www/localhost/htdocs/lifetype/class/template/smarty/Smarty.class.php(1108): 
trigger_error
/var/www/localhost/htdocs/lifetype/class/template/smarty/Smarty.class.php(1604): 
cachedtemplate.trigger_error
/var/www/localhost/htdocs/lifetype/class/template/smarty/Smarty.class.php(1433): 
cachedtemplate._fetch_resource_info
/var/www/localhost/htdocs/lifetype/class/template/smarty/Smarty.class.php(1279): 
cachedtemplate._compile_resource
/var/www/localhost/htdocs/lifetype/class/template/cachedtemplate.class.php(48): 
smarty.fetch
/var/www/localhost/htdocs/lifetype/class/view/smartyview.class.php(207): 
cachedtemplate.fetch
/var/www/localhost/htdocs/lifetype/class/view/blogview.class.php(224): 
smartyview.render
/var/www/localhost/htdocs/lifetype/class/controller/controller.class.php(329): 
templateview.render
/var/www/localhost/htdocs/lifetype/index.php(42): blogcontroller.process
                              ----  snip, snip, snip ----

A comment in class/template/smarty/Smarty.class.php suggests it's 
slightly modified version.

I tried passing in a couple of directory traversal sequences, but Smarty 
seems to cache files locally and uses its own name so directory 
traversal sequences are ignored.

George
--
theall at tenablesecurity.com

More information about the VIM mailing list