This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 501564 - (CVE-2009-1669) CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters i...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.smarty.net/
public=20090513,reported=20090518,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-19 14:53 EDT by Jan Lieskovsky
Modified: 2011-06-16 14:52 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-16 14:52:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-05-19 14:53:24 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to
the following vulnerability:

The smarty_function_math function in libs/plugins/function.math.php in
Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
commands via shell metacharacters in the equation attribute of the
math function. NOTE: some of these details are obtained from third
party information. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://www.milw0rm.com/exploits/8659
http://www.securityfocus.com/bid/34918
http://osvdb.org/54380
http://secunia.com/advisories/35072
http://xforce.iss.net/xforce/xfdb/50457 

Smarty related references:
http://www.smarty.net/
http://www.smarty.net/misc/NEWS 
(Please notice also the last record:
 Version 2.6.24 (May 16th, 2009)
 -------------------------------
 - fix problem introduced with super global changes (mohrt))
Comment 1 Jan Lieskovsky 2009-05-21 14:04:49 EDT
From the Debian bug tracker equivalent
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810):

However in Linux after putting an empty file with a command as name ('uptime' for example):

{math equation="`*u*`"}

This will launch the "uptime" command.

I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
Comment 2 Christopher Stone 2009-05-23 15:16:32 EDT
Looks like I am a couple revisions behind on Smarty. ;-)
Luckily it is a three day weekend.

I will upgrade the package to 2.6.24 sometime this weekend.  My time is extremely limited, but most likely tomorrow afternoon.

Thanks for the notice.
Comment 3 Fedora Update System 2009-05-25 16:28:59 EDT
php-Smarty-2.6.25-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc11
Comment 4 Fedora Update System 2009-05-25 16:29:59 EDT
php-Smarty-2.6.25-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc10
Comment 5 Fedora Update System 2009-05-25 16:30:42 EDT
php-Smarty-2.6.25-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc9
Comment 6 Fedora Update System 2009-05-27 15:06:11 EDT
php-Smarty-2.6.25-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-05-27 15:07:38 EDT
php-Smarty-2.6.25-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-05-27 15:08:23 EDT
php-Smarty-2.6.25-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.