CVE-2009-1669
published 2009-05-18CVE-2009-1669: The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell…
PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.12%
96.1th percentile
The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | smarty3 | < smarty3 3.0.8-1 (bookworm) | smarty3 3.0.8-1 (bookworm) |
| smarty | smarty | <= 3.0.0 | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
| smarty | smarty | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wmf8-498j-7qmx: Unspecified vulnerability in the math plugin in Smarty before 3
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2010-4726 [CRITICAL] GHSA-wmf8-498j-7qmx: Unspecified vulnerability in the math plugin in Smarty before 3
Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669.
GHSA
GHSA-9qvp-f6pr-8g42: The smarty_function_math function in libs/plugins/function
ghsa_unreviewed·2022-05-02
CVE-2009-1669 [HIGH] CWE-20 GHSA-9qvp-f6pr-8g42: The smarty_function_math function in libs/plugins/function
The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information.
OSV
CVE-2010-4726: Unspecified vulnerability in the math plugin in Smarty before 3
osv·2011-02-03·CVSS 10.0
CVE-2010-4726 [CRITICAL] CVE-2010-4726: Unspecified vulnerability in the math plugin in Smarty before 3
Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669.
Debian
CVE-2010-4726: smarty3 - Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unkn...
vendor_debian·2010·CVSS 10.0
CVE-2010-4726 [CRITICAL] CVE-2010-4726: smarty3 - Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unkn...
Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669.
Scope: local
bookworm: resolved (fixed in 3.0.8-1)
bullseye: resolved (fixed in 3.0.8-1)
forky: resolved (fixed in 3.0.8-1)
sid: resolved (fixed in 3.0.8-1)
trixie: resolved (fixed in 3.0.8-1)
Ubuntu
Moodle vulnerabilities
vendor_ubuntu·2009-06-24·CVSS 6.8
CVE-2009-0500 [MEDIUM] Moodle vulnerabilities
Title: Moodle vulnerabilities
Summary: Moodle vulnerabilities
Thor Larholm discovered that PHPMailer, as used by Moodle, did not
correctly escape email addresses. A local attacker with direct access
to the Moodle database could exploit this to execute arbitrary commands
as the web server user. (CVE-2007-3215)
Nigel McNie discovered that fetching https URLs did not correctly escape
shell meta-characters. An authenticated remote attacker could execute
arbitrary commands as the web server user, if curl was installed and
configured. (CVE-2008-4796, MSA-09-0003)
It was discovered that Smarty (also included in Moodle), did not
correctly filter certain inputs. An authenticated remote attacker could
exploit this to execute arbitrary PHP commands as the web server user.
(CVE-2008-4810, CVE-2008
Ubuntu
Smarty vulnerability
vendor_ubuntu·2009-06-24
CVE-2009-1669 Smarty vulnerability
Title: Smarty vulnerability
Summary: Smarty vulnerability
It was discovered that Smarty did not correctly filter certain math
inputs. A remote attacker using Smarty via a web service could exploit
this to execute subsets of shell commands as the web server user.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
vendor_redhat·2009-05-13·CVSS 10.0
CVE-2009-1669 [CRITICAL] Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information.
No detection rules found.
Bugzilla
CVE-2010-4724 CVE-2010-4725 CVE-2010-4727 php-Smarty: Multiple unspecified vulnerabilities in Smarty 3.0.0 before RC3
bugzilla·2011-10-25·CVSS 10.0
CVE-2010-4724 [CRITICAL] CVE-2010-4724 CVE-2010-4725 CVE-2010-4727 php-Smarty: Multiple unspecified vulnerabilities in Smarty 3.0.0 before RC3
CVE-2010-4724 CVE-2010-4725 CVE-2010-4727 php-Smarty: Multiple unspecified vulnerabilities in Smarty 3.0.0 before RC3
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4724 to
the following vulnerability:
Multiple unspecified vulnerabilities in the parser implementation in Smarty before 3.0.0 RC3 have unknown impact and remote attack vectors.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4724
[2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt
Discussion:
Relevant Smarty Changelog [2] entries:
===== RC3 =====
15/07/2010
..
20/06/2010
- replace internal get_time() calls with standard PHP5 microtime(true) calls
- closed security hole when php.ini asp_tags = on
..
17/04/2010
- security fix in {math} plugin
..
01/12/20
Bugzilla
CVE-2010-4726 php-Smarty: Unspecified vulnerability in math plug-in in Smarty 3.0.0 before RC1
bugzilla·2011-10-25·CVSS 10.0
CVE-2010-4726 [CRITICAL] CVE-2010-4726 php-Smarty: Unspecified vulnerability in math plug-in in Smarty 3.0.0 before RC1
CVE-2010-4726 php-Smarty: Unspecified vulnerability in math plug-in in Smarty 3.0.0 before RC1
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4726 to
the following vulnerability:
Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4726
[2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt
Discussion:
Relevant Smarty Changelog [2] entry:
===== RC1 =====
..
17/04/2010
- security fix in {math} plugin
and related SVN log record:
r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines
- security fix in {math} plugin
---
Created attachment 530103
Smar
Bugzilla
pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)
bugzilla·2010-09-22·CVSS 7.5
CVE-2009-1669 [HIGH] pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)
pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)
Silvio Cesare reported that pgpoolAdmin includes an embedded copy of the Smarty PHP template engine that is vulnerable to a number of security-related issues. The version of Smarty bundled in pgpoolAdmin 2.2 is 2.6.13, while the current version of Smarty is 2.6.25. This would make the embedded version of Smarty, and thus pgpoolAdmin, vulnerable to a number of issues with CVE names, including:
CVE-2009-1669
CVE-2008-4811
CVE-2008-4810
CVE-2008-1066
There may be others as well. The Smarty changelog [1] does identify a number of fixes since the 2.6.2 release.
Ideally, we should update the embedded version of Smarty to 2.6.25, however I have no idea if that will break anything as that is quite the jump. We may have to identi
Bugzilla
ser: multiple vulnerabilities in embedded Smarty (2.6.2)
bugzilla·2010-09-22·CVSS 7.5
CVE-2009-1669 [HIGH] ser: multiple vulnerabilities in embedded Smarty (2.6.2)
ser: multiple vulnerabilities in embedded Smarty (2.6.2)
Silvio Cesare reported that serweb (part of the ser package) includes an embedded copy of the Smarty PHP template engine that is vulnerable to a number of security-related issues. The version of Smarty bundled in serweb 0.9.4 is 2.6.2, while the current version of Smarty is 2.6.25. This would make the embedded version of Smarty, and thus serweb, vulnerable to a number of issues with CVE names, including:
CVE-2009-1669
CVE-2008-4811
CVE-2008-4810
CVE-2008-1066
There may be others as well. The Smarty changelog [1] does identify a number of fixes since the 2.6.2 release.
It does not look as though there has been any upstream activity in two years. Four years ago Smarty was updated to 2.6.10 in CVS [2], but that was not reflected in
Bugzilla
CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
bugzilla·2009-05-19·CVSS 10.0
CVE-2009-1669 [CRITICAL] CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
CVE-2009-1669 Smarty: arbitrary commands execution via shell metacharacters in the equation attribute of the math function
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1669 to
the following vulnerability:
The smarty_function_math function in libs/plugins/function.math.php in
Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
commands via shell metacharacters in the equation attribute of the
math function. NOTE: some of these details are obtained from third
party information.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://www.milw0rm.com/exploits/8659
http://www.securityfocus.com/bid/34918
http://osvdb.org/54380
http://secunia.com/advisories/35072
http://xforce.iss.net/xforce/xfdb/50457
Smarty related references:
http://osvdb.org/54380http://secunia.com/advisories/35072http://secunia.com/advisories/35219http://www.securityfocus.com/bid/34918http://www.ubuntu.com/usn/usn-791-3https://exchange.xforce.ibmcloud.com/vulnerabilities/50457https://www.exploit-db.com/exploits/8659https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01274.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01283.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01287.htmlhttp://osvdb.org/54380http://secunia.com/advisories/35072http://secunia.com/advisories/35219http://www.securityfocus.com/bid/34918http://www.ubuntu.com/usn/usn-791-3https://exchange.xforce.ibmcloud.com/vulnerabilities/50457https://www.exploit-db.com/exploits/8659https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01274.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01283.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01287.html
2009-05-18
Published