back to article Major web template flaw lets miscreants break out of sandboxes

A serious fresh category of web security vulnerability creates the potential for all sorts of mischief, security researchers warn. Template engines are widely used by web applications in order to present dynamic data via web pages and emails. The technology offers a server-side sandbox. The commonplace practice of allowing …

  1. Anonymous Coward
    Anonymous Coward

    not to be a troll

    Have to say one blessing even though I am often on call for production systems is not being responsible for any internet facing web servers. Opening port 80 or even 443 is your first mistake lol.

  2. streaky

    Did you know

    If you add all your users to sudoers and let them use compilers, bad things can happen..

  3. garetht t


    Details available here:

  4. Tom 7 Silver badge


    do people still write such shit websites?

    1. sisk

      Re: Wow

      Yes, they do. And some of them aren't half bad from a pure aesthetic viewpoint.

      Basically these types of systems are designed to either allow people with little-to-no knowledge of web design to build complete sites or to allow professional web designers to roll out sites much quicker (and therefore at less cost to the client) than they would normally be able to. They're not anywhere near as good as someone who actually knows what they're doing putting a good deal of time into building a site, but they are quick and easy enough for non-professionals to knock up a decent looking site.

  5. batfastad


    Alfresco... Hurrp. Hurrrrrp. Huuuurrrrrrrrppppppp.

  6. FF22

    Clueless security firm discovers the '90s

    This type of vulnerability is as old as template engines themselves. Nothing new here. Just a clueless security company discovering what every developer knew for two decades now.

    1. Ben Tasker Silver badge

      Re: Clueless security firm discovers the '90s

      Yes and no, if you read the actual paper there's some interesting stuff in there. It's not quite as simple as "If you let people edit templates, they can run code", which let's face it, should be a given.

      There's an example of a Wiki which attempts to sandbox you, but exposes a method that will allow you to save as the user currently viewing. So rather than simply entering your payload, you wrap it in a call to check if the user is an admin, and if they are silently save as them. Given that the point in a Wiki is generally that anyone can edit, that's a pretty big flaw.

      There are a few other bits in there, and it's definitely worth a read. I'd agree the baseline is pretty much common sense, but it's still worth 5 mins of your day, if only to see just how easily some of the sandboxes can be escaped.

  7. deadcow

    This isn't a particularly new vulnerability. Sanitising user input from any source is the very first thing that you learn about web security isn't it? Hopefully PortSwigger is mostly preaching to the choir.

  8. Raedwald Bretwalda

    "The commonplace practice of allowing untrusted users to edit templates..."

    "Unsafely embedding user input in templates..."

    Are two different things.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021