SRC-2021-0009 : Smarty Template Engine template_object Sandbox Escape Remote Code Execution Vulnerability
CVE ID: CVE-2021-26119
CVSS Score: 8.1, (/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: Smarty
Affected Products: Smarty Template Engine
This vulnerability allows remote attackers execute arbitrary code on affected installations of Smarty Template Engine. Authentication is context dependant and may not be required to exploit this vulnerability.
The specific flaw exists within the Smarty_Internal_Compile_Private_Special_Variable class. The issue results from the lack of proper restriction to the template_object property, which can result in dangerous method calls. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary php code.
Smarty has issued an update to correct this vulnerability. More details can be found at: https://github.com/smarty-php/smarty/security/advisories/GHSA-w5hr-jm4j-9jvq
2021-01-24 – Sent to Simon Wisselink
2021-02-17 – Coordinated public release of advisory
Proof of Concept:
Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team