SRC-2021-0010 : Smarty Template Engine Smarty_Internal_Runtime_TplFunction Sandbox Escape Remote Code Execution Vulnerability
CVE ID: CVE-2021-26120
CVSS Score: 8.1, (/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: Smarty
Affected Products: Smarty Template Engine
This vulnerability allows remote attackers execute arbitrary code on affected installations of Smarty Template Engine. Authentication is context dependant and may not be required to exploit this vulnerability.
The specific flaw exists within the Smarty_Internal_Compile_Function class. The issue results from the lack of proper validation to the name property of a function definition. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary php code.
Smarty has issued an update to correct this vulnerability. More details can be found at: https://github.com/smarty-php/smarty/security/advisories/GHSA-3rpf-5rqv-689q
2021-01-24 – Sent to Simon Wisselink
2021-02-17 – Coordinated public release of advisory
Proof of Concept:
Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team