Tuesday, June 28, 2016

Bugtraq: Craft CMS affected by server side template injection

Craft CMS affected by server side template injection Jun 27 2016 07:58PM Securify B.V. (lists securify nl)

------------------------------------------------------------------------

Craft CMS affected by server side template injection

------------------------------------------------------------------------

Nelson Berg & Jurgen Kloosterman, June 2016

------------------------------------------------------------------------

Abstract

------------------------------------------------------------------------

It was discovered that Craft CMS is vulnerable to server-side

template injection. An authenticated attacker can exploit this issue

to compromise Craft CMS, for example by retrieving sensitive data from

configuration files.

------------------------------------------------------------------------

Tested versions

------------------------------------------------------------------------

All versions of Craft CMS prior to build 2791 are affected by this

vulnerability.

------------------------------------------------------------------------

Fix

------------------------------------------------------------------------

Pixel & Tonic, Inc. released Craft CMS build 2791 that resolves this

vulnerability. This build can easily be installed through the Control

Panel. After the fix is applied the rendering of templates is globally

limited in TemplatesService.php and TwigEnvironment.php.

------------------------------------------------------------------------

Details

------------------------------------------------------------------------

http://ift.tt/297UA4e

r_side_template_injection.html

[ reply ]


from SecurityFocus Vulnerabilities http://ift.tt/297avzN
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)