CVE-2021-29454 Overview
CVE-2021-29454 is a Code Injection vulnerability affecting Smarty, a widely-used template engine for PHP that facilitates the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. When a math string is passed through as user-provided data to the {math} function, external users can achieve remote code execution by exploiting insufficient input validation in the mathematical expression parser.
Critical Impact
This vulnerability allows authenticated attackers to execute arbitrary PHP code on the server through crafted math strings, potentially leading to complete system compromise, data theft, and server takeover.
Affected Products
- Smarty versions prior to 3.1.42
- Smarty versions 4.x prior to 4.0.2
- Debian Linux 9.0, 10.0, and 11.0
- Fedora 36 and 37
Discovery Timeline
- 2022-01-10 - CVE-2021-29454 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29454
Vulnerability Analysis
The vulnerability exists in the {math} function within Smarty's template engine. This function is designed to allow mathematical calculations within templates, but insufficient validation of the mathematical expression input allows attackers to inject arbitrary PHP code. The {math} function uses eval() internally to process mathematical expressions, and prior to the patch, the whitelist of allowed functions was incomplete, enabling code injection through crafted inputs.
The attack requires the attacker to have the ability to provide input to a template's {math} function, either as a template author or through user-supplied data that flows into the math parameter. Once exploited, the attacker gains the ability to execute arbitrary PHP code with the privileges of the web server process.
Root Cause
The root cause is an Injection vulnerability (CWE-74) in the {math} function's expression parser. The function failed to properly sanitize and validate input before passing it to PHP's evaluation functions. The whitelist of allowed mathematical functions was incomplete, allowing attackers to bypass restrictions and inject malicious code through unfiltered function calls within math expressions.
Attack Vector
The attack can be conducted over the network without user interaction. An authenticated attacker with low privileges who can influence template input can craft a malicious mathematical expression containing PHP code. When the template engine processes the {math} function with this malicious input, the injected code executes on the server. This is particularly dangerous when user-supplied data is passed to the math function without proper sanitization.
The following patch from the security fix shows the expanded whitelist of allowed mathematical functions:
'int' => true,
'abs' => true,
'ceil' => true,
+ 'acos' => true,
+ 'acosh' => true,
'cos' => true,
+ 'cosh' => true,
+ 'deg2rad' => true,
+ 'rad2deg' => true,
'exp' => true,
'floor' => true,
'log' => true,
Source: GitHub Commit 215d81a9
Detection Methods for CVE-2021-29454
Indicators of Compromise
- Unusual PHP process activity originating from web server processes
- Unexpected outbound network connections from the web application server
- Suspicious template files containing complex or obfuscated {math} expressions
- Web server error logs showing PHP execution errors related to the Smarty template engine
- Abnormal file system modifications in web directories
Detection Strategies
- Monitor web application logs for requests containing suspicious mathematical expressions or encoded payloads targeting template parameters
- Implement Web Application Firewall (WAF) rules to detect and block code injection patterns in request parameters
- Use file integrity monitoring to detect unauthorized changes to Smarty template files
- Deploy runtime application self-protection (RASP) solutions to detect eval-based code execution attempts
Monitoring Recommendations
- Enable detailed logging for the Smarty template engine to capture all {math} function invocations
- Monitor for unusual PHP function calls and process spawning from the web server context
- Implement alerting for outbound network connections from application servers that don't match expected patterns
- Review and audit template files periodically for suspicious content
How to Mitigate CVE-2021-29454
Immediate Actions Required
- Upgrade Smarty to version 3.1.42 or later for the 3.x branch
- Upgrade Smarty to version 4.0.2 or later for the 4.x branch
- Review all templates for user-controlled input flowing into {math} functions
- Implement strict input validation for any data passed to template functions
- Consider disabling the {math} function if not required by your application
Patch Information
Security patches are available from the official Smarty project. The fix expands the whitelist of allowed functions in the math expression parser and improves input sanitization. Patches can be obtained from:
For Debian users, refer to DSA-5151 and the Debian LTS Announcement. Gentoo users should consult GLSA 202209-09.
Workarounds
- Avoid using the {math} function with user-supplied input until patching is possible
- Implement strict whitelist validation for any mathematical expressions before they reach Smarty templates
- Use security plugins or custom pre-processors to sanitize template input
- Isolate the web application in a containerized environment to limit the impact of potential exploitation
# Update Smarty via Composer
composer require smarty/smarty:^3.1.42
# Or for Smarty 4.x
composer require smarty/smarty:^4.0.2
# Verify the installed version
composer show smarty/smarty | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
