Bug 501564 (CVE-2009-1669)

Summary: CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chris.stone, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.smarty.net/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-16 18:52:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-05-19 18:53:24 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to
the following vulnerability:

The smarty_function_math function in libs/plugins/function.math.php in
Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
commands via shell metacharacters in the equation attribute of the
math function. NOTE: some of these details are obtained from third
party information. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://www.milw0rm.com/exploits/8659
http://www.securityfocus.com/bid/34918
http://osvdb.org/54380
http://secunia.com/advisories/35072
http://xforce.iss.net/xforce/xfdb/50457 

Smarty related references:
http://www.smarty.net/
http://www.smarty.net/misc/NEWS 
(Please notice also the last record:
 Version 2.6.24 (May 16th, 2009)
 -------------------------------
 - fix problem introduced with super global changes (mohrt))
Comment 1 Jan Lieskovsky 2009-05-21 18:04:49 UTC 
From the Debian bug tracker equivalent
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810):

However in Linux after putting an empty file with a command as name ('uptime' for example):

{math equation="`*u*`"}

This will launch the "uptime" command.

I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
Comment 2 Christopher Stone 2009-05-23 19:16:32 UTC 
Looks like I am a couple revisions behind on Smarty. ;-)
Luckily it is a three day weekend.

I will upgrade the package to 2.6.24 sometime this weekend.  My time is extremely limited, but most likely tomorrow afternoon.

Thanks for the notice.
Comment 3 Fedora Update System 2009-05-25 20:28:59 UTC 
php-Smarty-2.6.25-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc11
Comment 4 Fedora Update System 2009-05-25 20:29:59 UTC 
php-Smarty-2.6.25-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc10
Comment 5 Fedora Update System 2009-05-25 20:30:42 UTC 
php-Smarty-2.6.25-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc9
Comment 6 Fedora Update System 2009-05-27 19:06:11 UTC 
php-Smarty-2.6.25-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-05-27 19:07:38 UTC 
php-Smarty-2.6.25-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-05-27 19:08:23 UTC 
php-Smarty-2.6.25-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.