The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions.

The remote host is affected by the vulnerability described in GLSA-201006-13 (Smarty: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Smarty:
    The vendor reported that the modifier.regex_replace.php plug-in     contains an input sanitation flaw related to the ASCII NUL character     (CVE-2008-1066).
    The vendor reported that the
    _expand_quoted_text() function in libs/Smarty_Compiler.class.php     contains an input sanitation flaw via multiple vectors (CVE-2008-4810,     CVE-2008-4811).
    Nine:Situations:Group::bookoo reported that     the smarty_function_math() function in libs/plugins/function.math.php     contains input sanitation flaw (CVE-2009-1669).
  Impact :

    These issues might allow a remote attacker to execute arbitrary PHP     code.
  Workaround :

    There is no known workaround at this time.

Several remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-4810     The _expand_quoted_text function allows for certain     restrictions in templates, like function calling and PHP     execution, to be bypassed.

  - CVE-2009-1669     The smarty_function_math function allows     context-dependent attackers to execute arbitrary     commands via shell metacharacters in the equation     attribute of the math function.

Thor Larholm discovered that PHPMailer, as used by Moodle, did not correctly escape email addresses. A local attacker with direct access to the Moodle database could exploit this to execute arbitrary commands as the web server user. (CVE-2007-3215)

Nigel McNie discovered that fetching https URLs did not correctly escape shell meta-characters. An authenticated remote attacker could execute arbitrary commands as the web server user, if curl was installed and configured. (CVE-2008-4796, MSA-09-0003)

It was discovered that Smarty (also included in Moodle), did not correctly filter certain inputs. An authenticated remote attacker could exploit this to execute arbitrary PHP commands as the web server user. (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669)

It was discovered that the unused SpellChecker extension in Moodle did not correctly handle temporary files. If the tool had been locally modified, it could be made to overwrite arbitrary local files via symlinks. (CVE-2008-5153)

Mike Churchward discovered that Moodle did not correctly filter Wiki page titles in certain areas. An authenticated remote attacker could exploit this to cause cross-site scripting (XSS), which could be used to modify or steal confidential data of other users within the same web domain. (CVE-2008-5432, MSA-08-0022)

It was discovered that the HTML sanitizer, 'Login as' feature, and logging in Moodle did not correctly handle certain inputs. An authenticated remote attacker could exploit this to generate XSS, which could be used to modify or steal confidential data of other users within the same web domain. (CVE-2008-5619, CVE-2009-0500, CVE-2009-0502, MSA-08-0026, MSA-09-0004, MSA-09-0007)

It was discovered that the HotPot module in Moodle did not correctly filter SQL inputs. An authenticated remote attacker could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service. (CVE-2008-6124, MSA-08-0010)

Kevin Madura discovered that the forum actions and messaging settings in Moodle were not protected from cross-site request forgery (CSRF).
If an authenticated user were tricked into visiting a malicious website while logged into Moodle, a remote attacker could change the user's configurations or forum content. (CVE-2009-0499, MSA-09-0008, MSA-08-0023)

Daniel Cabezas discovered that Moodle would leak usernames from the Calendar Export tool. A remote attacker could gather a list of users, leading to a loss of privacy. (CVE-2009-0501, MSA-09-0006)

Christian Eibl discovered that the TeX filter in Moodle allowed any function to be used. An authenticated remote attacker could post a specially crafted TeX formula to execute arbitrary TeX functions, potentially reading any file accessible to the web server user, leading to a loss of privacy. (CVE-2009-1171, MSA-09-0009)

Johannes Kuhn discovered that Moodle did not correctly validate user permissions when attempting to switch user accounts. An authenticated remote attacker could switch to any other Moodle user, leading to a loss of privacy. (MSA-08-0003)

Hanno Boeck discovered that unconfigured Moodle instances contained XSS vulnerabilities. An unauthenticated remote attacker could exploit this to modify or steal confidential data of other users within the same web domain. (MSA-08-0004)

Debbie McDonald, Mauno Korpelainen, Howard Miller, and Juan Segarra Montesinos discovered that when users were deleted from Moodle, their profiles and avatars were still visible. An authenticated remote attacker could exploit this to store information in profiles even after they were removed, leading to spam traffic. (MSA-08-0015, MSA-09-0001, MSA-09-0002)

Lars Vogdt discovered that Moodle did not correctly filter certain inputs. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. (MSA-08-0021)

It was discovered that Moodle did not correctly filter inputs for group creation, mnet, essay question, HOST param, wiki param, and others. An authenticated remote attacker could exploit this to generate XSS from which they could modify or steal confidential data of other users within the same web domain. (MDL-9288, MDL-11759, MDL-12079, MDL-12793, MDL-14806)

It was discovered that Moodle did not correctly filter SQL inputs when performing a restore. An attacker authenticated as a Moodle administrator could execute arbitrary SQL commands as the moodle database user, leading to a loss of privacy or denial of service.
(MDL-11857).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been identified and corrected in php-smarty :

The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka php executed in templates

Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution.

Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276).

Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023).

Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755).

SQL injection issue in the hotpot module (MSA-08-0010).

An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810 ). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796 ). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502 ).

ID	Name	Product	Family	Severity
46793	GLSA-201006-13 : Smarty: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
44784	Debian DSA-1919-1 : smarty - several vulnerabilities	Nessus	Debian Local Security Checks	critical
39516	Ubuntu 8.04 LTS / 8.10 : moodle vulnerabilities (USN-791-1)	Nessus	Ubuntu Local Security Checks	critical
37766	Mandriva Linux Security Advisory : php-smarty (MDVSA-2009:052)	Nessus	Mandriva Local Security Checks	high
35254	Debian DSA-1691-1 : moodle - several vulnerabilities	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2008-4810

critical

Tenable Plugins

critical

critical

critical

high

critical