Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-29454: Merge pull request from GHSA-29gp-2c3m-3j6m · smarty-php/smarty@215d81a

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.

CVE
#php#auth

@@ -28,7 +28,12 @@ function smarty_function_math($params, $template)

‘int’ => true,

‘abs’ => true,

‘ceil’ => true,

‘acos’ => true,

‘acosh’ => true,

‘cos’ => true,

‘cosh’ => true,

‘deg2rad’ => true,

‘rad2deg’ => true,

‘exp’ => true,

‘floor’ => true,

‘log’ => true,

@@ -39,27 +44,51 @@ function smarty_function_math($params, $template)

‘pow’ => true,

‘rand’ => true,

‘round’ => true,

‘asin’ => true,

‘asinh’ => true,

‘sin’ => true,

‘sinh’ => true,

‘sqrt’ => true,

‘srand’ => true,

‘tan’ => true

‘atan’ => true,

‘atanh’ => true,

‘tan’ => true,

‘tanh’ => true

);

// be sure equation parameter is present

if (empty($params[ ‘equation’ ])) {

trigger_error("math: missing equation parameter", E_USER_WARNING);

return;

}

$equation = $params[ ‘equation’ ];

// Remove whitespaces

$equation = preg_replace('/\s+/’, '’, $equation);

// Adapted from https://www.php.net/manual/en/function.eval.php#107377

$number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number

$functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))';

$operators = '[+\/*\^%-]'; // Allowed math operators

$regexp = '/^(('.$number.’|’.$functionsOrVars.’|(‘.$functionsOrVars.’\s*\((?1)+\)|\((?1)+\)))(?:’.$operators.’(?2))?)+$/’;

if (!preg_match($regexp, $equation)) {

trigger_error("math: illegal characters", E_USER_WARNING);

return;

}

// make sure parenthesis are balanced

if (substr_count($equation, '(') !== substr_count($equation, ')')) {

trigger_error("math: unbalanced parenthesis", E_USER_WARNING);

return;

}

// disallow backticks

if (strpos($equation, ‘`’) !== false) {

trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);

return;

}

// also disallow dollar signs

if (strpos($equation, ‘$’) !== false) {

trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);

@@ -96,6 +125,7 @@ function smarty_function_math($params, $template)

}

$smarty_math_result = null;

eval("\$smarty_math_result = " . $equation . “;”);

if (empty($params[ ‘format’ ])) {

if (empty($params[ ‘assign’ ])) {

return $smarty_math_result;

Related news

Gentoo Linux Security Advisory 202209-09

Gentoo Linux Security Advisory 202209-9 - Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution. Versions less than 4.2.1 are affected.

CVE-2021-26119: smarty/CHANGELOG.md at master · smarty-php/smarty

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907