Red Hat Bugzilla – Bug 501564
CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
Last modified: 2011-06-16 14:52:56 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to
the following vulnerability:
The smarty_function_math function in libs/plugins/function.math.php in
Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
commands via shell metacharacters in the equation attribute of the
math function. NOTE: some of these details are obtained from third
Smarty related references:
(Please notice also the last record:
Version 2.6.24 (May 16th, 2009)
- fix problem introduced with super global changes (mohrt))
From the Debian bug tracker equivalent
However in Linux after putting an empty file with a command as name ('uptime' for example):
This will launch the "uptime" command.
I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
Looks like I am a couple revisions behind on Smarty. ;-)
Luckily it is a three day weekend.
I will upgrade the package to 2.6.24 sometime this weekend. My time is extremely limited, but most likely tomorrow afternoon.
Thanks for the notice.
php-Smarty-2.6.25-1.fc11 has been submitted as an update for Fedora 11.
php-Smarty-2.6.25-1.fc10 has been submitted as an update for Fedora 10.
php-Smarty-2.6.25-1.fc9 has been submitted as an update for Fedora 9.
php-Smarty-2.6.25-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
php-Smarty-2.6.25-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
php-Smarty-2.6.25-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.