CVE-2021-43674: Possible Path manipulation vulnerability · Issue #2289 · ThinkUpLLC/ThinkUp

Hello,

I would like to report for path manipulation vulnerability.

The path of the vulnrability:

File “Smarty.class.php” line 1714

function _read_file($filename) { if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, ‘rb’)) ) { $contents = '’; while (!feof($fd)) { $contents .= fread($fd, 8192); } fclose($fd); // the source return $contents; } else { return false; } }

File “core.read-cache-file.php”

line 43 // the source will be the returned value from _read_file $params[‘results’] = $smarty->_read_file($_cache_file); // line 51 $_contents = $params[‘results’]; // line 54 $_cache_info = unserialize(substr($_contents, $_info_start, $_info_len)); //line 73 // the pattern is array_keys here foreach (array_keys($_cache_info[‘template’]) as $_template_dep) { $_params[‘resource_name’] = $_template_dep; // the source will pass to _fetch_resource_info function if (!$smarty->_fetch_resource_info($_params) || $_cache_info[‘timestamp’] < $_params[‘resource_timestamp’]) { // template file has changed, regenerate cache return false; } }

File “Smarty.class.php”

// line 1538 in function _fetch_resource_info $_params = array(‘resource_name’ => $params[‘resource_name’]) ; // line 1544 if ($this->_parse_resource_name($_params)) {…} // line 1620 in function _parse_resource_name // $params is $_params $_resource_name_parts = explode(':’, $params[‘resource_name’], 2); // line 1632 $params[‘resource_type’] = $_resource_name_parts[0]; // line 1661 $_params = array(‘type’ => $params[‘resource_type’]); // line 1663 // the source will be passed in $_params[‘type’] to the function smarty_core_load_resource_plugin smarty_core_load_resource_plugin($_params, $this);

File “core.load_resource_plugin.php”

// line 44 // $params[‘type’] will be in $_plugin_file $_plugin_file = $smarty->_get_plugin_filepath('resource’, $params[‘type’]); // line 51 include_once($_plugin_file);