SRC-2021-0010 : Smarty Template Engine Smarty_Internal_Runtime_TplFunction Sandbox Escape Remote Code Execution Vulnerability

CVE ID: CVE-2021-26120

CVSS Score: 8.1, (/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: Smarty

Affected Products: Smarty Template Engine

Vulnerability Details:

This vulnerability allows remote attackers execute arbitrary code on affected installations of Smarty Template Engine. Authentication is context dependant and may not be required to exploit this vulnerability.

The specific flaw exists within the Smarty_Internal_Compile_Function class. The issue results from the lack of proper validation to the name property of a function definition. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary php code.

Vendor Response:

Smarty has issued an update to correct this vulnerability. More details can be found at: https://github.com/smarty-php/smarty/security/advisories/GHSA-3rpf-5rqv-689q

Disclosure Timeline:

• 2021-01-24 – Sent to Simon Wisselink

• 2021-02-17 – Coordinated public release of advisory

Proof of Concept:

• /pocs/cve-2021-26120.py.txt

Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team