The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.

The remote host is affected by the vulnerability described in GLSA-201111-04 (phpDocumentor: Function call injection)

    phpDocumentor bundles Smarty with the modifier.regex_replace.php plug-in       which does not properly sanitize input related to the ASCII NUL character       in a search string.
  Impact :

    A remote attacker could call arbitrary PHP functions via templates.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-201006-13 (Smarty: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Smarty:
    The vendor reported that the modifier.regex_replace.php plug-in     contains an input sanitation flaw related to the ASCII NUL character     (CVE-2008-1066).
    The vendor reported that the
    _expand_quoted_text() function in libs/Smarty_Compiler.class.php     contains an input sanitation flaw via multiple vectors (CVE-2008-4810,     CVE-2008-4811).
    Nine:Situations:Group::bookoo reported that     the smarty_function_math() function in libs/plugins/function.math.php     contains input sanitation flaw (CVE-2009-1669).
  Impact :

    These issues might allow a remote attacker to execute arbitrary PHP     code.
  Workaround :

    There is no known workaround at this time.

- Thu Mar 20 2008 John Berninger <john at ncphotography     dot com> - 2.2.4-3

    - revert to SVN snapshot so that config-time integrity       checks don't fail

    - remove embedded copy of smarty and use php-Smarty       package

    - Sat Dec 29 2007 John Berninger <john at ncphotography       dot com) - 2.2.4-2

    - BZ 279961 - allow FileInfo

    - Mon Dec 24 2007 Lubomir Kundrak <lkundrak at       redhat.com> 2.2.4-1

    - A christmas present -- critical security update to       2.2.4

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Thu Mar 20 2008 John Berninger <john at ncphotography     dot com> - 2.2.4-3

    - revert to SVN snapshot so that config-time integrity       checks don't fail

    - remove embedded copy of smarty and use php-Smarty       package

    - Sat Dec 29 2007 John Berninger <john at ncphotography       dot com) - 2.2.4-2

    - BZ 279961 - allow FileInfo

    - Mon Dec 24 2007 Lubomir Kundrak <lkundrak at       redhat.com> 2.2.4-1

    - A christmas present -- critical security update to       2.2.4

    - Fri Aug 31 2007 John Berninger <john at ncphotography       dot com> - 2.2-0.7.svn20070831

    - update to 2.2.3 SVN snapshot to fix security vuln's -       bz 267421

    - Tue Jun 5 2007 John Berninger <johnw at       berningeronline dot net> - 2.2-0.6.svn20070506

    - Fix escaping syntax problem in post scriptlet

    - Tue May 15 2007 John Berninger <johnw at       berningeronline dot net> - 2.2-0.5.svn20070506

    - README file update and new build

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Use system Smarty, instead of packaging our own.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A bug in the smarty version contained in moodle could be exploited by attackers to execute arbitrary php code (CVE-2008-1066).

It was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.

ID	Name	Product	Family	Severity
56808	GLSA-201111-04 : phpDocumentor: Function call injection	Nessus	Gentoo Local Security Checks	high
46793	GLSA-201006-13 : Smarty: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
31971	Fedora 8 : gallery2-2.2.4-3.fc8 (2008-2650)	Nessus	Fedora Local Security Checks	high
31970	Fedora 7 : gallery2-2.2.4-3.fc7 (2008-2587)	Nessus	Fedora Local Security Checks	high
31688	Fedora 8 : php-pear-PhpDocumentor-1.4.1-2.fc8 (2008-2656)	Nessus	Fedora Local Security Checks	high
31637	openSUSE 10 Security Update : moodle (moodle-5109)	Nessus	SuSE Local Security Checks	high
31591	Debian DSA-1520-1 : smarty - insufficient input sanitising	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2008-1066

critical

Tenable Plugins

high

critical

high

high

high

high

high