[Secure-testing-team] Bug#529810: CVE-2009-1669
Giuseppe Iuculano
giuseppe at iuculano.it
Thu May 21 16:50:17 UTC 2009
Package: smarty
Version: 2.6.22-1
Severity: normal
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2009-1669[0]:
| The smarty_function_math function in libs/plugins/function.math.php in
| Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
| commands via shell metacharacters in the equation attribute of the
| math function. NOTE: some of these details are obtained from third
| party information.
With Windows you can launch commands like this:
{math equation="`^C^A^L^C`"}
^C^A^L^C is equivalent to calc.exe, this isn't true in Linux.
However in Linux after putting an empty file with a command as name ('uptime' for example):
{math equation="`*u*`"}
This will launch the "uptime" command.
I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://security-tracker.debian.net/tracker/CVE-2009-1669
http://www.milw0rm.com/exploits/8659
Patch: http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoVhkUACgkQNxpp46476aowxQCfZxInNMa6dJXPEZ7dfpbUHD+3
5KcAn0eH02pLJkpg8IR4GlnowS5ZRww/
=ia44
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list