On Mon, Aug 04, 2008 at 08:24:22PM +0200, Tomas Hoger wrote: > Hi Thomas! Hi Tomas, > Have you managed to reproduce this, even with Smarty in webroot and > register_globals enabled? Your report mentions _get_plugin_filepath, > but that does seem to be a different vector that one described in the > original report. $type and $name can not be spoofed with > register_globals, as those are function arguments. Moreover, in most > cases where _get_plugin_filepath is called, both arguments are fixed > strings or values read from the (trusted) file. > > Reported attack vector is: > Smarty_Compiler.class.php?plugin_file=http://shell > > However, $plugin_file is always initialized before use in > Smarty_Compiler.class.php. Is the original report bogus or does HYIP > use some old or customized Smarty version? (Well, I guess you don't > know the real answer to this, just like me ;).
First of all, sorry for the long delay! I had a big hardware crash on my developing pc :( So, I now have tested it again on a PC on my work and I am wondered that it doesn't be vulnerable again like before. It's the same versions and packages installed ... So, Either I did a mistake on my first research or now. My offer for you is that if you also aren't able to reproduce this issue for the actually smarty package, you can close this bug and all is fine, because you know the source better than me, I think. > -- > Tomas Hoger Kind regards, Thomas.
signature.asc
Description: Digital signature
