Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

smarty_function_mailto - JavaScript injection in eval function #454

Closed
iricartb opened this issue Jun 18, 2018 · 3 comments
Closed

smarty_function_mailto - JavaScript injection in eval function #454

iricartb opened this issue Jun 18, 2018 · 3 comments
Assignees
@wisskid
Labels
needs-fix

Comments

@iricartb
Copy link

iricartb commented Jun 18, 2018
edited

I found a bug in the Smarty package, specifically in the smarty_function_mailto($params) function.

Remote exploitation of such vulnerability is unlikely, but it is still advisable to take it into account.

A web page that uses this function and that could be parameterized using GET or POST input parameters could cause the injection of JavaScript code of a malicious user and cause cross-site scripting attacks.

Using the following code you can inject JavaScript code into the smarty_function_mailto function.

===============================================================

$params = array(
'encode'=>'javascript',
'address'=>'iricartb@gmail.com">iricartb@gmail.com'); alert("- JavaScript Injected -"); //',
);

echo smarty_function_mailto($params);

===============================================================

smarty_mailto
@iricartb iricartb changed the title BUG SMARTY PACKAGE - JAVASCRIPT INJECTION Smarty - smarty_function_mailto - JavaScript injection in eval function Jun 21, 2018
@iricartb iricartb changed the title Smarty - smarty_function_mailto - JavaScript injection in eval function smarty_function_mailto - JavaScript injection in eval function Jun 21, 2018
@wisskid wisskid self-assigned this Feb 6, 2020
@wisskid
Copy link
Contributor

wisskid commented Feb 6, 2020
edited

Definitely a security risk, esp when users on a website can provide their own mail address in a profile for example. And there's an issue with html escaping not being done too. See:

<?php

require('libs/Smarty.class.php');

$tpl = new Smarty();
$tpl->assign("htmladdress", 'iricartb@gmail.com"><h1>');
$tpl->assign("jsaddress", 'iricartb@gmail.com">iricartb@gmail.com\'); alert("- JavaScript Injected -"); //');

file_put_contents("output.html", $tpl->fetch('page1.tpl'));

page1.tpl


{mailto address=$htmladdress}
{mailto address=$jsaddress encode=javascript}

then open output.html in your browser. Choosing iricartb@gmail.com"><h1> as your mail address will change page layout by injecting a h1. This applies to the text param as well.

@wisskid
Copy link
Contributor

wisskid commented Feb 6, 2020

Savvy Smarty users might have circumvented this bug by doing {mailto address=$htmladdress|escape} and it will not be possible to detect this, which might cause double escaping. We should probably warn for this in the release notes.

wisskid added a commit that referenced this issue Sep 14, 2022
@wisskid
Applied appropriate javascript and html escaping in mailto plugin to …
f1f7ee6 
…counter injection attacks

Fixes #454
@grahamperrin
Copy link

Cross reference:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wisskid wisskid

Labels
needs-fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grahamperrin @wisskid @iricartb