Vulnerabilities in the Smarty PHP template engine could be exploited to achieve remote code execution (RCE) in third-party applications, a security researcher has warned. Two separate sandbox escape vulnerabilities in the open source engine can be leveraged to execute arbitrary code on dependent software, a blog post reveals. Smarty, a template engine for PHP, enables the separation of web app presentation code – namely HTML and CSS – from application logic.
Smarty is used by a number of third-party applications. meaning that vulnerabilities in the template engine could leave these platforms open to exploitation. However, only applications that allow users to modify Smarty templates are affected. Applications who only use static templates are safe from these exploits. Source Incite researchers detailed how they were able to achieve RCE in two CMS applications, Tiki Wiki CMS Groupware and CMS Made Simple, by combining the bugs with other existing software vulnerabilities.
A vulnerability (CVE-2019-9053), in CMS Made Simple, first reported by Daniele Scanu, allows an unauthenticated user to launch an SQL injection attack to bypass authentication and reset the administrator password. As discovered by Source Incite researcher Steven Seeley, a flaw in Smarty (CVE-2021-26120), allows an authenticated user with ‘designer’ permissions to escape the Smarty sandbox by leveraging the function ‘name’ property as part of a server-side template injection (SSTI) attack. Combined, the two vulnerabilities can allow an attacker to execute remote code execution on the CMS Made Simple application.
A proof of concept from Seeley resets the password for user_id 1 “which is probably the administrator”, they wrote. However, Seeley warns: “The administrator’s password will be reset to the administrator’s username. Use at your own risk.” A vulnerability in Tiki Wiki CMS (CVE-2020-15906), first reported by Maximilian Barz, allows a user to bypass authentication by brute-forcing the admin account until it is locked after 50 attempts. The password then resets and a user can login with a blank password. BACKGROUND Tiki Wiki authentication bypass flaw gives attackers full control of websites, intranets Although this bug has been patched, a second vulnerability in Smarty (CVE-2021-26119) enables an administrator to trigger server-side template injection and gain remote code execution by leveraging the’template_object’ property.
A proof of concept from Seeley warns that this exploit will lock the administrator out of their account. Seeley, who discovered the two bugs in Smarty, told The Daily Swig: “During the analysis of third-party applications that utilize the Smarty template engine. it was often found that it was configured in an insecure way and didn’t even use the sandbox feature. thus allowing trivial remote code execution to occur.” He was able to carry out the attacks on the two CMS platforms. but warned: “Many more applications are impacted in various ways. The Tiki Wiki and CMS Made Simple vulnerabilities have been patched, and Smarty users should ensure they are updated. The issues affect versions 3.1.38 and below. More details and a proof of concept can be found in this blog post.