Bug 501564 (CVE-2009-1669) - CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
Summary: CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1669
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.smarty.net/
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-19 18:53 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-16 18:52:56 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2009-05-19 18:53:24 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to
the following vulnerability:

The smarty_function_math function in libs/plugins/function.math.php in
Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
commands via shell metacharacters in the equation attribute of the
math function. NOTE: some of these details are obtained from third
party information. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://www.milw0rm.com/exploits/8659
http://www.securityfocus.com/bid/34918
http://osvdb.org/54380
http://secunia.com/advisories/35072
http://xforce.iss.net/xforce/xfdb/50457 

Smarty related references:
http://www.smarty.net/
http://www.smarty.net/misc/NEWS 
(Please notice also the last record:
 Version 2.6.24 (May 16th, 2009)
 -------------------------------
 - fix problem introduced with super global changes (mohrt))
Comment 1 Jan Lieskovsky 2009-05-21 18:04:49 UTC 
From the Debian bug tracker equivalent
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810):

However in Linux after putting an empty file with a command as name ('uptime' for example):

{math equation="`*u*`"}

This will launch the "uptime" command.

I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
Comment 2 Christopher Stone 2009-05-23 19:16:32 UTC 
Looks like I am a couple revisions behind on Smarty. ;-)
Luckily it is a three day weekend.

I will upgrade the package to 2.6.24 sometime this weekend.  My time is extremely limited, but most likely tomorrow afternoon.

Thanks for the notice.
Comment 3 Fedora Update System 2009-05-25 20:28:59 UTC 
php-Smarty-2.6.25-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc11
Comment 4 Fedora Update System 2009-05-25 20:29:59 UTC 
php-Smarty-2.6.25-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc10
Comment 5 Fedora Update System 2009-05-25 20:30:42 UTC 
php-Smarty-2.6.25-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc9
Comment 6 Fedora Update System 2009-05-27 19:06:11 UTC 
php-Smarty-2.6.25-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-05-27 19:07:38 UTC 
php-Smarty-2.6.25-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-05-27 19:08:23 UTC 
php-Smarty-2.6.25-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.