10 - GLSA-201006-13

Executive Summary

Summary
Title	Smarty: Multiple vulnerabilities

Informations
Name	GLSA-201006-13	First vendor Publication	2010-06-02
Vendor	Gentoo	Last vendor Modification	2010-06-02
Severity (Vendor)	Normal	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities in the Smarty template engine might allow remote attackers to execute arbitrary PHP code.

Background

Smarty is a template engine for PHP.

Description

Multiple vulnerabilities have been discovered in Smarty:

* The vendor reported that the modifier.regex_replace.php plug-in contains an input sanitation flaw related to the ASCII NUL character (CVE-2008-1066).

* The vendor reported that the _expand_quoted_text() function in libs/Smarty_Compiler.class.php contains an input sanitation flaw via multiple vectors (CVE-2008-4810, CVE-2008-4811).

* Nine:Situations:Group::bookoo reported that the smarty_function_math() function in libs/plugins/function.math.php contains input sanitation flaw (CVE-2009-1669).

Impact

These issues might allow a remote attacker to execute arbitrary PHP code.

Workaround

There is no known workaround at this time.

Resolution

All Smarty users should upgrade to an unaffected version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/smarty-2.6.23"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since June 2, 2009. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2008-1066 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
[ 2 ] CVE-2008-4810 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4810
[ 3 ] CVE-2008-4811 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4811
[ 4 ] CVE-2009-1669 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201006-13.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201006-13.xml

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-20	Improper Input Validation
25 %	CWE-264	Permissions, Privileges, and Access Controls
25 %	CWE-94	Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13108

Oval ID:	oval:org.mitre.oval:def:13108
Title:	DSA-1919-1 smarty -- several
Description:	Several remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4810 The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. CVE-2009-1669 The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. For the old stable distribution, these problems have been fixed in version 2.6.14-1etch2. For the stable distribution, these problems have been fixed in version 2.6.20-1.2. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your smarty package.
Family:	unix	Class:	patch
Reference(s):	DSA-1919-1 CVE-2008-4810 CVE-2009-1669	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	smarty
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND smarty DPKG is earlier than 2.6.20-1.2 OR Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND smarty DPKG is earlier than 2.6.14-1etch2

Definition Id: oval:org.mitre.oval:def:13560

Oval ID:	oval:org.mitre.oval:def:13560
Title:	DSA-1919-2 smarty -- several
Description:	A regression was found in the patch applied in DSA 1919-1 to smarty, which caused compilation failures on some specific templates. This update corrects the fix. For reference, the full advisory text below. Several remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4810 The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. CVE-2009-1669 The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. For the stable distribution, this problem has been fixed in version 2.6.20-1.3. The testing and unstable distribution are not affected by this regression. We recommend that you upgrade your smarty package.
Family:	unix	Class:	patch
Reference(s):	DSA-1919-2 CVE-2008-4810 CVE-2009-1669	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	smarty
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND smarty DPKG is earlier than 2.6.20-1.3

Definition Id: oval:org.mitre.oval:def:13807

Oval ID:	oval:org.mitre.oval:def:13807
Title:	USN-791-3 -- smarty vulnerability
Description:	It was discovered that Smarty did not correctly filter certain math inputs. A remote attacker using Smarty via a web service could exploit this to execute subsets of shell commands as the web server user.
Family:	unix	Class:	patch
Reference(s):	USN-791-3 CVE-2009-1669	Version:	5
Platform(s):	Ubuntu 9.04	Product(s):	smarty
Definition Synopsis:
Ubuntu 9.04 is installed AND Installed architecture is all AND smarty DPKG is earlier than 2.6.22-1ubuntu1.1

Definition Id: oval:org.mitre.oval:def:18646

Oval ID:	oval:org.mitre.oval:def:18646
Title:	DSA-1520-1 smarty - arbitrary code execution
Description:	It was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.
Family:	unix	Class:	patch
Reference(s):	DSA-1520-1 CVE-2008-1066	Version:	7
Platform(s):	Debian GNU/Linux 4.0	Product(s):	smarty
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND smarty DPKG is earlier than 2.6.14-1etch1

Definition Id: oval:org.mitre.oval:def:7776

Oval ID:	oval:org.mitre.oval:def:7776
Title:	DSA-1520 smarty -- insufficient input sanitising
Description:	It was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.
Family:	unix	Class:	patch
Reference(s):	DSA-1520 CVE-2008-1066	Version:	3
Platform(s):	Debian GNU/Linux 4.0 Debian GNU/Linux 3.1	Product(s):	smarty
Definition Synopsis:
Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND smarty is earlier than 2.6.14-1etch1 OR Release section Debian GNU/Linux 3.1 is installed AND Installed architecture is all AND smarty is earlier than 2.6.9-1sarge1

Definition Id: oval:org.mitre.oval:def:7911

Oval ID:	oval:org.mitre.oval:def:7911
Title:	DSA-1919 smarty -- several vulnerabilities
Description:	Several remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function.
Family:	unix	Class:	patch
Reference(s):	DSA-1919 CVE-2008-4810 CVE-2009-1669	Version:	3
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	smarty
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND smarty is earlier than 2.6.20-1.2 OR Release section Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND smarty is earlier than 2.6.14-1etch2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Smarty cpe:2.3:a:smarty:smarty:2.6.9:::::::* cpe:2.3:a:smarty:smarty:2.6.7:::::::* cpe:2.3:a:smarty:smarty:2.6.6:::::::* cpe:2.3:a:smarty:smarty:2.6.5:::::::* cpe:2.3:a:smarty:smarty:2.6.4:::::::* cpe:2.3:a:smarty:smarty:2.6.3:::::::* cpe:2.3:a:smarty:smarty:2.6.22:::::::* cpe:2.3:a:smarty:smarty:2.6.20:::::::* cpe:2.3:a:smarty:smarty:2.6.2:::::::* cpe:2.3:a:smarty:smarty:2.6.18:::::::* cpe:2.3:a:smarty:smarty:2.6.17:::::::* cpe:2.3:a:smarty:smarty:2.6.16:::::::* cpe:2.3:a:smarty:smarty:2.6.15:::::::* cpe:2.3:a:smarty:smarty:2.6.14:::::::* cpe:2.3:a:smarty:smarty:2.6.13:::::::* cpe:2.3:a:smarty:smarty:2.6.12:::::::* cpe:2.3:a:smarty:smarty:2.6.11:::::::* cpe:2.3:a:smarty:smarty:2.6.10:::::::* cpe:2.3:a:smarty:smarty:2.6.1:::::::* cpe:2.3:a:smarty:smarty:2.6.0:::::::* cpe:2.3:a:smarty:smarty:2.6.0:rc2:::::: cpe:2.3:a:smarty:smarty:2.6.0:rc3:::::: cpe:2.3:a:smarty:smarty:2.6.0:rc1:::::: cpe:2.3:a:smarty:smarty:2.5.0:::::::* cpe:2.3:a:smarty:smarty:2.5.0:rc2:::::: cpe:2.3:a:smarty:smarty:2.5.0:rc1:::::: cpe:2.3:a:smarty:smarty:2.4.2:::::::* cpe:2.3:a:smarty:smarty:2.4.1:::::::* cpe:2.3:a:smarty:smarty:2.4.0:::::::* cpe:2.3:a:smarty:smarty:2.3.1:::::::* cpe:2.3:a:smarty:smarty:2.3.0:::::::* cpe:2.3:a:smarty:smarty:2.2.0:::::::* cpe:2.3:a:smarty:smarty:2.1.1:::::::* cpe:2.3:a:smarty:smarty:2.1.0:::::::* cpe:2.3:a:smarty:smarty:2.0.1:::::::* cpe:2.3:a:smarty:smarty:2.0.0:::::::* cpe:2.3:a:smarty:smarty:1.5.2:::::::* cpe:2.3:a:smarty:smarty:1.5.1:::::::* cpe:2.3:a:smarty:smarty:1.5.0:::::::* cpe:2.3:a:smarty:smarty:1.4.6:::::::* cpe:2.3:a:smarty:smarty:1.4.5:::::::* cpe:2.3:a:smarty:smarty:1.4.4:::::::* cpe:2.3:a:smarty:smarty:1.4.3:::::::* cpe:2.3:a:smarty:smarty:1.4.2:::::::* cpe:2.3:a:smarty:smarty:1.4.1:::::::* cpe:2.3:a:smarty:smarty:1.4.0:b1:::::: cpe:2.3:a:smarty:smarty:1.4.0:::::::* cpe:2.3:a:smarty:smarty:1.4.0:b2:::::: cpe:2.3:a:smarty:smarty:1.3.2:::::::* cpe:2.3:a:smarty:smarty:1.3.1:::::::* cpe:2.3:a:smarty:smarty:1.3.0:::::::* cpe:2.3:a:smarty:smarty:1.2.2:::::::* cpe:2.3:a:smarty:smarty:1.2.1:::::::* cpe:2.3:a:smarty:smarty:1.2.0:::::::* cpe:2.3:a:smarty:smarty:1.1.0:::::::* cpe:2.3:a:smarty:smarty:1.0b:::::::* cpe:2.3:a:smarty:smarty:1.0a:::::::* cpe:2.3:a:smarty:smarty:1.0:::::::* cpe:2.3:a:smarty:smarty::::::::	59

OpenVAS Exploits

Date	Description
2012-02-12	Name : Gentoo Security Advisory GLSA 201111-04 (PhpDocumentor) File : nvt/glsa_201111_04.nasl
2011-03-09	Name : Gentoo Security Advisory GLSA 201006-13 (smarty) File : nvt/glsa_201006_13.nasl
2010-08-21	Name : Debian Security Advisory DSA 1919-2 (smarty) File : nvt/deb_1919_2.nasl
2009-10-27	Name : Debian Security Advisory DSA 1919-1 (smarty) File : nvt/deb_1919_1.nasl
2009-06-30	Name : Ubuntu USN-791-3 (smarty) File : nvt/ubuntu_791_3.nasl
2009-06-30	Name : Ubuntu USN-791-1 (moodle) File : nvt/ubuntu_791_1.nasl
2009-06-05	Name : Fedora Core 9 FEDORA-2009-5516 (php-Smarty) File : nvt/fcore_2009_5516.nasl
2009-06-05	Name : Fedora Core 11 FEDORA-2009-5520 (php-Smarty) File : nvt/fcore_2009_5520.nasl
2009-06-05	Name : Fedora Core 10 FEDORA-2009-5525 (php-Smarty) File : nvt/fcore_2009_5525.nasl
2009-06-05	Name : Ubuntu USN-723-1 (git-core) File : nvt/ubuntu_723_1.nasl
2009-06-05	Name : Ubuntu USN-698-1 (nagios) File : nvt/ubuntu_698_1.nasl
2009-03-02	Name : Mandrake Security Advisory MDVSA-2009:052 (php-smarty) File : nvt/mdksa_2009_052.nasl
2009-02-17	Name : Fedora Update for php-Smarty FEDORA-2008-9401 File : nvt/gb_fedora_2008_9401_php-Smarty_fc8.nasl
2009-02-17	Name : Fedora Update for php-Smarty FEDORA-2008-9420 File : nvt/gb_fedora_2008_9420_php-Smarty_fc9.nasl
2009-02-16	Name : Fedora Update for php-pear-PhpDocumentor FEDORA-2008-2656 File : nvt/gb_fedora_2008_2656_php-pear-PhpDocumentor_fc8.nasl
2009-02-16	Name : Fedora Update for gallery2 FEDORA-2008-2650 File : nvt/gb_fedora_2008_2650_gallery2_fc8.nasl
2009-02-16	Name : Fedora Update for gallery2 FEDORA-2008-2587 File : nvt/gb_fedora_2008_2587_gallery2_fc7.nasl
2009-02-16	Name : Fedora Update for php-Smarty FEDORA-2008-10409 File : nvt/gb_fedora_2008_10409_php-Smarty_fc10.nasl
2008-12-29	Name : Ubuntu USN-698-2 (nagios3) File : nvt/ubuntu_698_2.nasl
2008-12-29	Name : Ubuntu USN-699-1 (blender) File : nvt/ubuntu_699_1.nasl
2008-12-29	Name : Debian Security Advisory DSA 1691-1 (moodle) File : nvt/deb_1691_1.nasl
2008-03-19	Name : Debian Security Advisory DSA 1520-1 (smarty) File : nvt/deb_1520_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
54380	Smarty libs/plugins/function.math.php smarty_function_math() Function Templat...
49943	Smarty libs/Smarty_Compiler.class.php _expand_quoted_text() Function Arbitrar...
43064	Smarty modifier.regex_replace.php Plugin Search String Arbitrary PHP Code Exe...

Nessus® Vulnerability Scanner

Date	Description
2011-11-14	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201111-04.nasl - Type : ACT_GATHER_INFO
2010-06-03	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201006-13.nasl - Type : ACT_GATHER_INFO
2010-02-24	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1919.nasl - Type : ACT_GATHER_INFO
2009-06-25	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-791-3.nasl - Type : ACT_GATHER_INFO
2009-06-25	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-791-1.nasl - Type : ACT_GATHER_INFO
2009-05-28	Name : The remote Fedora host is missing a security update. File : fedora_2009-5516.nasl - Type : ACT_GATHER_INFO
2009-05-28	Name : The remote Fedora host is missing a security update. File : fedora_2009-5525.nasl - Type : ACT_GATHER_INFO
2009-05-28	Name : The remote Fedora host is missing a security update. File : fedora_2009-5520.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-052.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2008-10409.nasl - Type : ACT_GATHER_INFO
2008-12-22	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1691.nasl - Type : ACT_GATHER_INFO
2008-11-07	Name : The remote Fedora host is missing a security update. File : fedora_2008-9420.nasl - Type : ACT_GATHER_INFO
2008-11-07	Name : The remote Fedora host is missing a security update. File : fedora_2008-9401.nasl - Type : ACT_GATHER_INFO
2008-04-18	Name : The remote Fedora host is missing a security update. File : fedora_2008-2650.nasl - Type : ACT_GATHER_INFO
2008-04-18	Name : The remote Fedora host is missing a security update. File : fedora_2008-2587.nasl - Type : ACT_GATHER_INFO
2008-03-28	Name : The remote Fedora host is missing a security update. File : fedora_2008-2656.nasl - Type : ACT_GATHER_INFO
2008-03-21	Name : The remote openSUSE host is missing a security update. File : suse_moodle-5109.nasl - Type : ACT_GATHER_INFO
2008-03-17	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1520.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:36:53	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	4
Oval ID(s)	6
CPE ID(s)	59
osvdb(s)	3
Openvas Exploit(s)	22
Nessus® Exploit(s)	18

	Related
10	CVE-2009-1669
7.5	CVE-2008-4811
7.5	CVE-2008-4810
7.5	CVE-2008-1066
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 4 more Alert(s)

10 - GLSA-201006-13

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU