Are Symlinks on templates a security problem, and if yes, why?

Symlinks aren't necessarily bad.

First of all: If trying to open a symlink target, the file permissions of the target are in effect. If you're not allowed to read/write/execute the symlink target, nothing happens.

But: You might be able to run files outside your document root (sometimes that's actually what you want to do with them, right?). The problem can occur if your're not in a suEXEC environment and have an apache or www-data user on a shared hosting which, is in charge of serving files from different accounts. Your system user is not allowed to access files of another customer, but the apache/www-data user will mostly have read rights on all the shared accounts. This might be a scenario where one user can access files of another user on a shared host. Not with your own user, but by accessing the file via browser with the apache/www-data user. To sum up: In this scenario you will be able to access other users' files => bad.

The next bad thing is that an attacker could create symlinks, also to files like /etc/passwd,..., download this data and proceed with this information. This is not just only up to the symlink, but also up to a bad server configuration (where access to these files is strictly limited). So not using symlinks prevents from some more possible attacks.

It's not just about the symlink itself being a security risk, but a server configuration problem.

yes they are, thats why webservers usually also have a "dont follow symlinks" configuration or at least a "only follow symlinks of target with same user" Thats because webserver/php usually does run with more rights then you should have access to.

And as webservers usually try to avoid things like visible /etc/shadow, it is for magento templates even more dangerous, as templates get parsed via include() so you have possible very strong security leaks if you dont have full controll over your files.

You may argue, that there are other problems then, but who does really know every potential attack scenario, and most times its the combination of different less problematic security holes, which lead to the big breaks.

Also, there was some time ago a security fix regarding media directory and symlinks, so you should look there for possible attack scenarios.

I can only imagine this being a risk on shared hosts, which shouldn't be used for eCommerce in the first place.