Code Injection in smarty.php.net Smarty

1) Code Injection

EUVDB-ID: #VU41180

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-8350

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Smarty: 1.0 b - 3.1.19

CPE2.3

• cpe:2.3:a:smarty_php_net:smarty:1.0:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:1.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:1.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:1.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:1.4.6:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:1.5.2:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:2.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:2.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:2.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:smarty_php_net:smarty:2.3.1:*:*:*:*:*:*:*

External links

https://advisories.mageia.org/MGASA-2014-0468.html
https://seclists.org/oss-sec/2014/q4/420
https://seclists.org/oss-sec/2014/q4/421
https://www.mandriva.com/security/advisories?name=MDVSA-2014:221
https://www.securityfocus.com/bid/70708
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920
https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902
https://exchange.xforce.ibmcloud.com/vulnerabilities/97725

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.