[ccpw id="5"]

HomeApplicationVulnerabilities in Smarty PHP template engine renders popular CMS platforms open to...

Vulnerabilities in Smarty PHP template engine renders popular CMS platforms open to abuse

-

Vulnerabilities in the Smarty PHP template engine could be exploited to achieve remote code execution (RCE) in third-party applications, a security researcher has warned.
Two separate sandbox escape vulnerabilities in the open source engine can be leveraged to execute arbitrary code on dependent software, a blog post reveals.
Smarty, a template engine for PHP, enables the separation of web app presentation code – namely HTML and CSS – from application logic.
Smarty is used by a number of third-party applications, meaning that vulnerabilities in the template engine could leave these platforms open to exploitation. However, only applications that allow users to modify Smarty templates are affected. Applications who only use static templates are safe from these exploits.
Source Incite researchers detailed how they were able to achieve RCE in two CMS applications, Tiki Wiki CMS Groupware and CMS Made Simple, by combining the bugs with other existing software vulnerabilities.
A vulnerability (CVE-2019-9053), in CMS Made Simple, first reported by Daniele Scanu, allows an unauthenticated user to launch an SQL injection attack to bypass authentication and reset the administrator password.
As discovered by Source Incite researcher Steven Seeley, a flaw in Smarty (CVE-2021-26120), allows an authenticated user with ‘designer’ permissions to escape the Smarty sandbox by leveraging the function ‘name’ property as part of a server-side template injection (SSTI) attack.
Combined, the two vulnerabilities can allow an attacker to execute remote code execution on the CMS Made Simple application.
A proof of concept from Seeley resets the password for user_id 1 “which is probably the administrator”, they wrote.
However, Seeley warns: “The administrator’s password will be reset to the administrator’s username. Use at your own risk.”
A vulnerability in Tiki Wiki CMS (CVE-2020-15906), first reported by Maximilian Barz, allows a user to bypass authentication by brute-forcing the admin account until it is locked after 50 attempts.
The password then resets and a user can login with a blank password.
BACKGROUND Tiki Wiki authentication bypass flaw gives attackers full control of websites, intranets
Although this bug has been patched, a second vulnerability in Smarty (CVE-2021-26119) enables an administrator to trigger server-side template injection and gain remote code execution by leveraging the‘template_object’ property.
A proof of concept from Seeley warns that this exploit will lock the administrator out of their account.
Seeley, who discovered the two bugs in Smarty, told The Daily Swig: “During the analysis of third-party applications that utilize the Smarty template engine, it was often found that it was configured in an insecure way and didn’t even use the sandbox feature, thus allowing trivial remote code execution to occur.”
He was able to carry out the attacks on the two CMS platforms, but warned: “Many more applications are impacted in various ways.
The Tiki Wiki and CMS Made Simple vulnerabilities have been patched, and Smarty users should ensure they are updated. The issues affect versions 3.1.38 and below.
More details and a proof of concept can be found in this blog post.

LATEST POSTS

Chime Phone Number

What is the Chime Phone Number? If you have an account with Chime, you've likely received an account number from the company. However, this number does...

Apple Store Near Me

How to Find an Apple Store Near Me To find an Apple Store near you, first go to the Apple website and select your region or...

Dodge Car

Tips For Buying a Dodge Car Dodge is a mid-priced automobile brand. It was founded by brothers John and Horace Dodge and is a competitor to...

Hybrid Car

How Does a Hybrid Car Work? The basic components of a hybrid car are an Internal combustion engine, an Electric motor, and a battery. This article...

Most Popular