Jessica Haworth March 03, 2021 at 16:34 UTC
Updated: June 20, 2021 at 08:36 UTC
Now fixed exploits surface for Tiki Wiki CMS and CMS Made Simple, but researchers warn many more apps may be vulnerable
Vulnerabilities in the PHP Smarty template engine could be exploited to perform remote code execution (RCE) in third-party applications, a security researcher warned.
Two separate sandbox escape vulnerabilities in the open source engine can be exploited to execute arbitrary code on dependent software, a blog post reveals.
Smarty, a template engine for PHP, separates the presentation code of the web application, namely HTML and CSS, from the application logic.
Smarty is used by a number of third-party applications, which means that vulnerabilities in the model engine could leave these platforms open for exploitation. However, only applications that allow users to modify Smarty models are affected. Applications that only use static models are immune to these exploits.
Source Incite researchers explained how they were able to achieve RCE in two CMS applications, Tiki Wiki CMS Groupware and CMS Made Simple, by combining the bugs with other existing software vulnerabilities.
A vulnerability (CVE-2019-9053), in CMS Made Simple, first reported by Daniele Scanu, allows an unauthenticated user to launch an SQL injection attack to bypass authentication and reset the administrator password.
As uncovered by Source Incite researcher Steven Seeley, a flaw in Smarty (CVE-2021-26120), allows an authenticated user with “designer” permissions to escape the Smarty sandbox by exploiting the function property as part of a server-side model injection (SSTI) attack.
Combined, the two vulnerabilities can allow an attacker to remotely execute code on the CMS Made Simple application.
A proof of concept de Seeley resets the password to 1 “who is probably the administrator,” they wrote.
However, Seeley warns, “The administrator password will be reset to the administrator username. Use at your own risk. “
Tiki Wiki CMS
Vulnerability in Tiki Wiki CMS (CVE-2020-15906), first reported by Maximilian Barz, allows a user to bypass authentication by brutally forcing the administrator account until it is locked out after 50 attempts .
The password is then reset and a user can log in with a blank password.
CONTEXT Tiki Wiki authentication bypass flaw gives attackers full control over websites and intranets
Although this bug has been fixed, a second vulnerability in Smarty (CVE-2021-26119) allows an administrator to trigger server-side model injection and achieve remote code execution by exploiting the property.
A proof of concept de Seeley warns that this exploit will lock out the administrator of his account.
Seeley, who discovered the two bugs in Smarty, said The daily sip: “When analyzing third-party applications that use the Smarty template engine, it has often been found that it is configured insecurely and does not even use the sandbox function, thus allowing remote code execution trivial.”
He was able to lead the attacks on both CMS platforms, but warned, “Many more applications are impacted in various ways.
The Tiki Wiki and CMS Made Simple vulnerabilities have been fixed and Smarty users should ensure they are updated. The issues affect version 3.1.38 and lower.
More details and a proof of concept can be found in this blog post.
YOU MAY ALSO LIKE Research: How JSON Parsers Can Create Interoperability Security Risks