Vulnerability Name:

CVE-2009-1669 (CCN-50457)

Assigned:2009-05-12
Published:2009-05-12
Updated:2017-09-29
Summary:The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function.
Note: some of these details are obtained from third party information.
Per http://secunia.com/advisories/35072
"The vulnerability is confirmed in version 2.6.22 on Windows. Other versions may also be affected."
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
9.0 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-1669

Source: CCN
Type: Mahara Web Site
Mahara 1.2.4, 1.1.8, and 1.0.14 Released

Source: OSVDB
Type: UNKNOWN
54380

Source: CCN
Type: SA35072
Smarty "smarty_function_math()" Template Security Bypass

Source: SECUNIA
Type: Vendor Advisory
35072

Source: SECUNIA
Type: UNKNOWN
35219

Source: DEBIAN
Type: DSA-1919
smarty -- several vulnerabilities

Source: CCN
Type: GLSA-201006-13
Smarty: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 54380
Smarty libs/plugins/function.math.php smarty_function_math() Function Template Security Bypass Arbitrary Command Execution

Source: BID
Type: Exploit
34918

Source: CCN
Type: BID-34918
Smarty Template Engine 'function.math.php' Security Bypass Vulnerability

Source: CCN
Type: Smarty Web site
Smarty Template Engine

Source: CCN
Type: USN-791-1
Moodle vulnerabilities

Source: CCN
Type: USN-791-3
Smarty vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-791-3

Source: XF
Type: UNKNOWN
smarty-smartyfunctionmath-cmd-execution(50457)

Source: XF
Type: UNKNOWN
smarty-smartyfunctionmath-cmd-execution(50457)

Source: EXPLOIT-DB
Type: UNKNOWN
8659

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-5525

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-5516

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-5520

Vulnerable Configuration:Configuration 1:
  • cpe:/a:smarty:smarty:2.6.22:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mahara:mahara:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:smarty:smarty:2.6.22:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:mahara:mahara:1.1.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:13687
    P
    		USN-791-1 -- moodle vulnerabilities
    2014-07-07
    oval:org.mitre.oval:def:13807
    P
    		USN-791-3 -- smarty vulnerability
    2014-06-30
    oval:org.mitre.oval:def:7911
    P
    		DSA-1919 smarty -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:13108
    P
    		DSA-1919-1 smarty -- several
    2014-06-23
    oval:org.mitre.oval:def:13560
    P
    		DSA-1919-2 smarty -- several
    2014-06-23
    oval:org.debian:def:1919
    V
    		several vulnerabilities
    2009-10-25
    BACK
    smarty smarty 2.6.22
    mahara mahara 1.0.8
    mahara mahara 1.0.6
    mahara mahara 1.0.5
    mahara mahara 1.0.4
    mahara mahara 1.0.3
    mahara mahara 1.0.2
    mahara mahara 1.0.1
    mahara mahara 1.1.1
    mahara mahara 1.1.0
    mahara mahara 1.0.10
    mahara mahara 1.1.2
    mahara mahara 1.0.9
    smarty smarty 2.6.22
    mahara mahara 1.1.4
    mahara mahara 1.0.11
    mahara mahara 1.0.12
    mahara mahara 1.1.5
    mahara mahara 1.1.6
    mahara mahara 1.1.3
    gentoo linux *
    debian debian linux 4.0
    canonical ubuntu 8.04
    debian debian linux 5.0