Bug 858987 - (CVE-2012-4437) CVE-2012-4437 php-Smarty: XSS due improper sanitization of messages within SmartyException
CVE-2012-4437 php-Smarty: XSS due improper sanitization of messages within Sm...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120911,repor...
: Reopened, Security
Depends On: 858989 920149
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-20 05:54 EDT by Jan Lieskovsky
Modified: 2015-01-23 03:59 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-22 00:15:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Local copy of Debian's patch for php-Smarty v2 (2.20 KB, patch)
2013-03-11 09:10 EDT, Jan Lieskovsky
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 702710 None None None Never

  None (edit)
Description Jan Lieskovsky 2012-09-20 05:54:18 EDT
A cross-site scripting (XSS) flaw was found in the way SmartyException class of Smarty (php-Smarty), template / presentation framework for PHP language, performed sanitization of exception messages. A remote attacker could use this flaw to execute arbitrary HTML or webscript in the context of Smarty user session if the victim visited a specially-crafted web page.

References:
[1] http://secunia.com/advisories/50589/
[2] http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt
[3] http://www.openwall.com/lists/oss-security/2012/09/19/1
[4] http://www.openwall.com/lists/oss-security/2012/09/20/3

Upstream patch:
[5] http://code.google.com/p/smarty-php/source/detail?r=4658
Comment 1 Jan Lieskovsky 2012-09-20 05:56:55 EDT
This issue affects the version of the php-Smarty package, as shipped with Fedora Rawhide. Please schedule an update.

--

This issue did NOT affect the versions of the php-Smarty package, as shipped with Fedora release of 16 and 17 (as they did not include support for SmartyException class yet).

--

This issue did NOT affect the versions of the php-Smarty package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they did not include support for SmartyException class yet).
Comment 2 Jan Lieskovsky 2012-09-20 05:58:25 EDT
Created php-Smarty tracking bugs for this issue

Affects: fedora-rawhide [bug 858989]
Comment 3 Gwyn Ciesla 2012-09-20 08:34:02 EDT
Affects f18 also, will update.
Comment 4 Jan Lieskovsky 2012-09-26 04:38:08 EDT
(In reply to comment #3)
> Affects f18 also, will update.

Thanks, Jon.

Looks this issue has been corrected in both Rawhide and Fedora 18. Closing this bug (feel free to reopen if still needed).

Regards, Jan.
Comment 5 Jan Lieskovsky 2013-03-11 09:07:52 EDT
This issue affects the (current) version (php-Smarty-2.6.26-1.el5.2) of the php-Smarty package, as shipped with Fedora EPEL-5 => reopening the bug.

Relevant patch for php-Smarty v2.6 version (from corresponding Debian bug):
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702710#10
Comment 6 Jan Lieskovsky 2013-03-11 09:10:09 EDT
Created attachment 708356 [details]
Local copy of Debian's patch for php-Smarty v2

(from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702710#10)
Comment 7 Jan Lieskovsky 2013-03-11 09:11:19 EDT
Created php-Smarty tracking bugs for this issue

Affects: epel-5 [bug 920149]

Note You need to log in before you can comment on or make changes to this bug.