Smarty Template Engine 2.6.9 – ‘$smarty.template’ PHP Code Injection

• Exploit Database
• 14 阅读

• 作者： jonieske
  日期： 2011-02-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35343/

• source: https://www.securityfocus.com/bid/46366/info
  
  Smarty Template Engine is prone to a remote PHP code-injection vulnerability.
  
  An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
  
  Versions prior to Smarty Template Engine 3.0.7 are vulnerable. 
  
  $smarty.template : '.(include 'hack.php').'.tpl