Package: gallery2 Version: 2.2.5 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for smarty.
CVE-2007-2326[0]: | Multiple PHP remote file inclusion vulnerabilities in HYIP Manager Pro | allow remote attackers to execute arbitrary PHP code via a URL in the | plugin_file parameter to (1) Smarty.class.php and (2) | Smarty_Compiler.class.php in inc/libs/; (3) | core.display_debug_console.php, (4) core.load_plugins.php, (5) | core.load_resource_plugin.php, (6) core.process_cached_inserts.php, | (7) core.process_compiled_include.php, and (8) | core.read_cache_file.php in inc/libs/core/; and other unspecified | files. NOTE: (1) and (2) might be incorrectly reported vectors in | Smarty. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2326 http://security-tracker.debian.net/tracker/CVE-2007-2326 The vulnerable function is _get_plugin_filepath($type, $name). You can find its definition in Smarty.class.php: ] function _get_plugin_filepath($type, $name) ] { ] $_params = array('type' => $type, 'name' => $name); ] require_once(SMARTY_CORE_DIR.'core.assemble_plugin_filepath.php'); ] return smarty_core_assemble_plugin_filepath($_params,$this); ] } The $_params which contains the unchecked $type and $name of the plugin which shall be inserted is not checked against RFI or other malicious strings got via a GET requests. Kind regards, Thomas.
signature.asc
Description: Digital signature
