Bug 501564 (CVE-2009-1669) - CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
Summary: CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters i...
Status: CLOSED ERRATA
Alias: CVE-2009-1669
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.smarty.net/
Whiteboard: public=20090513,reported=20090518,imp...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-19 18:53 UTC by Jan Lieskovsky
Modified: 2011-06-16 18:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-16 18:52:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-05-19 18:53:24 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to
the following vulnerability:

The smarty_function_math function in libs/plugins/function.math.php in
Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
commands via shell metacharacters in the equation attribute of the
math function. NOTE: some of these details are obtained from third
party information. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://www.milw0rm.com/exploits/8659
http://www.securityfocus.com/bid/34918
http://osvdb.org/54380
http://secunia.com/advisories/35072
http://xforce.iss.net/xforce/xfdb/50457 

Smarty related references:
http://www.smarty.net/
http://www.smarty.net/misc/NEWS 
(Please notice also the last record:
 Version 2.6.24 (May 16th, 2009)
 -------------------------------
 - fix problem introduced with super global changes (mohrt))

Comment 1 Jan Lieskovsky 2009-05-21 18:04:49 UTC
From the Debian bug tracker equivalent
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810):

However in Linux after putting an empty file with a command as name ('uptime' for example):

{math equation="`*u*`"}

This will launch the "uptime" command.

I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...

Comment 2 Christopher Stone 2009-05-23 19:16:32 UTC
Looks like I am a couple revisions behind on Smarty. ;-)
Luckily it is a three day weekend.

I will upgrade the package to 2.6.24 sometime this weekend.  My time is extremely limited, but most likely tomorrow afternoon.

Thanks for the notice.

Comment 3 Fedora Update System 2009-05-25 20:28:59 UTC
php-Smarty-2.6.25-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc11

Comment 4 Fedora Update System 2009-05-25 20:29:59 UTC
php-Smarty-2.6.25-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc10

Comment 5 Fedora Update System 2009-05-25 20:30:42 UTC
php-Smarty-2.6.25-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc9

Comment 6 Fedora Update System 2009-05-27 19:06:11 UTC
php-Smarty-2.6.25-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-05-27 19:07:38 UTC
php-Smarty-2.6.25-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-05-27 19:08:23 UTC
php-Smarty-2.6.25-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.