Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to the following vulnerability: The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669 http://www.milw0rm.com/exploits/8659 http://www.securityfocus.com/bid/34918 http://osvdb.org/54380 http://secunia.com/advisories/35072 http://xforce.iss.net/xforce/xfdb/50457 Smarty related references: http://www.smarty.net/ http://www.smarty.net/misc/NEWS (Please notice also the last record: Version 2.6.24 (May 16th, 2009) ------------------------------- - fix problem introduced with super global changes (mohrt))
From the Debian bug tracker equivalent (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810): However in Linux after putting an empty file with a command as name ('uptime' for example): {math equation="`*u*`"} This will launch the "uptime" command. I doubt this can be considered an issue, to exploit it at least one file must be written and shell_exec() must not to be disabled. At this point writing a simple .php file with shell_exec('whatever I want') is equivalent and simplest...
Looks like I am a couple revisions behind on Smarty. ;-) Luckily it is a three day weekend. I will upgrade the package to 2.6.24 sometime this weekend. My time is extremely limited, but most likely tomorrow afternoon. Thanks for the notice.
php-Smarty-2.6.25-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc11
php-Smarty-2.6.25-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc10
php-Smarty-2.6.25-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/php-Smarty-2.6.25-1.fc9
php-Smarty-2.6.25-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
php-Smarty-2.6.25-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
php-Smarty-2.6.25-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.