not to be a troll
Have to say one blessing even though I am often on call for production systems is not being responsible for any internet facing web servers. Opening port 80 or even 443 is your first mistake lol.
A serious fresh category of web security vulnerability creates the potential for all sorts of mischief, security researchers warn. Template engines are widely used by web applications in order to present dynamic data via web pages and emails. The technology offers a server-side sandbox. The commonplace practice of allowing …
Yes, they do. And some of them aren't half bad from a pure aesthetic viewpoint.
Basically these types of systems are designed to either allow people with little-to-no knowledge of web design to build complete sites or to allow professional web designers to roll out sites much quicker (and therefore at less cost to the client) than they would normally be able to. They're not anywhere near as good as someone who actually knows what they're doing putting a good deal of time into building a site, but they are quick and easy enough for non-professionals to knock up a decent looking site.
Yes and no, if you read the actual paper there's some interesting stuff in there. It's not quite as simple as "If you let people edit templates, they can run code", which let's face it, should be a given.
There's an example of a Wiki which attempts to sandbox you, but exposes a method that will allow you to save as the user currently viewing. So rather than simply entering your payload, you wrap it in a call to check if the user is an admin, and if they are silently save as them. Given that the point in a Wiki is generally that anyone can edit, that's a pretty big flaw.
There are a few other bits in there, and it's definitely worth a read. I'd agree the baseline is pretty much common sense, but it's still worth 5 mins of your day, if only to see just how easily some of the sandboxes can be escaped.