SRC-2021-0009 : Smarty Template Engine template_object Sandbox Escape Remote Code Execution Vulnerability

CVE ID: CVE-2021-26119

CVSS Score: 8.1, (/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: Smarty

Affected Products: Smarty Template Engine

Vulnerability Details:

This vulnerability allows remote attackers execute arbitrary code on affected installations of Smarty Template Engine. Authentication is context dependant and may not be required to exploit this vulnerability.

The specific flaw exists within the Smarty_Internal_Compile_Private_Special_Variable class. The issue results from the lack of proper restriction to the template_object property, which can result in dangerous method calls. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary php code.

Vendor Response:

Smarty has issued an update to correct this vulnerability. More details can be found at: https://github.com/smarty-php/smarty/security/advisories/GHSA-w5hr-jm4j-9jvq

Disclosure Timeline:

  • 2021-01-24 – Sent to Simon Wisselink

  • 2021-02-17 – Coordinated public release of advisory

Proof of Concept:

Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team