Login Sign Up

CVE-2011-1028

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Smarty3 allows remote attackers to execute arbitrary PHP code through the $smarty.template variable. It affects web applications using vulnerable versions of the Smarty template engine. Attackers can potentially take full control of affected systems.

💻 Affected Systems

Products:
  • Smarty Template Engine
Versions: Smarty3 versions before 3.0.8
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any PHP application using Smarty3 templates with the vulnerable code path.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Smarty by Smarty

View all CVEs affecting Smarty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or creation of persistent backdoors.

🟠

Likely Case

Web server compromise allowing data exfiltration, defacement, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires access to template rendering functionality but is straightforward once that access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Smarty 3.0.8 and later

Vendor Advisory: https://github.com/smarty-php/smarty/security/advisories

Restart Required: No

Instructions:

1. Update Smarty to version 3.0.8 or later. 2. Replace the smarty directory with the patched version. 3. Clear any template caches. 4. Test application functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for all template variables before processing.

// PHP code to validate $smarty.template variable
if (!preg_match('/^[a-zA-Z0-9_\-\.\/]+$/', $smarty->template)) {
    die('Invalid template name');
}

🧯 If You Can't Patch

  • Implement WAF rules to block suspicious template variable patterns
  • Restrict access to template rendering functionality to authenticated users only

🔍 How to Verify

Check if Vulnerable:

Check Smarty version in your application's vendor directory or composer.json for version < 3.0.8

Check Version:

grep -r 'smarty' composer.json || find . -name '*.php' -exec grep -l 'Smarty' {} \; | head -5

Verify Fix Applied:

Confirm Smarty version is 3.0.8 or higher and test template functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP execution errors
  • Suspicious template file access patterns
  • Unexpected system command execution in web logs

Network Indicators:

  • Unusual outbound connections from web server
  • HTTP requests with suspicious template parameters

SIEM Query:

source="web_logs" AND ("$smarty.template" OR "smarty_internal_compile") AND status=500

📊 Metadata

CVE ID: CVE-2011-1028
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: November 20, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-1028, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)