CVE-2021-43676
📋 TL;DR
CVE-2021-43676 is a path manipulation vulnerability in the matyhtf framework's Smarty.class.php that allows attackers to read arbitrary files on the server. This affects all applications using matyhtf framework v3.0.5 with Smarty template engine enabled. Attackers can exploit this to access sensitive configuration files, source code, or other system files.
💻 Affected Systems
- matyhtf framework
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files containing database credentials, SSH keys, or other secrets leading to lateral movement and data exfiltration.
Likely Case
Information disclosure of sensitive application files, configuration data, or source code that could enable further attacks.
If Mitigated
Limited impact with proper file permissions and directory restrictions preventing access to critical system files.
🎯 Exploit Status
Exploitation requires network access to the vulnerable application but no authentication. The vulnerability is in file inclusion logic that can be triggered via crafted requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.0.6 and later
Vendor Advisory: https://github.com/matyhtf/framework/issues/206
Restart Required: Yes
Instructions:
1. Update matyhtf framework to version 3.0.6 or later. 2. Replace the vulnerable Smarty.class.php file. 3. Restart the application server. 4. Verify the fix by testing file inclusion attempts.
🔧 Temporary Workarounds
Disable Smarty template engine
allTemporarily disable the vulnerable Smarty template engine component if not essential for application functionality.
Modify application configuration to disable Smarty or use alternative template engine
Implement input validation
allAdd strict input validation for file path parameters in the application code.
Implement whitelist validation for allowed file paths in template inclusion functions
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns and file inclusion attempts.
- Restrict file system permissions to limit what files the application user can read.
🔍 How to Verify
Check if Vulnerable:
Check if application uses matyhtf framework v3.0.5 and has Smarty template engine enabled. Test by attempting to include files outside the intended directory via template parameters.Check Version:
Check framework version in composer.json or framework configuration filesVerify Fix Applied:
After updating to v3.0.6+, test that file inclusion attempts with path traversal payloads are properly blocked and return errors instead of file contents.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- Failed file inclusion attempts with path traversal patterns
- Requests containing '../' or similar path traversal sequences
Network Indicators:
- HTTP requests with suspicious file path parameters in template-related endpoints
- Unusual file download patterns from the application
SIEM Query:
source="application.log" AND ("../" OR "..\" OR "/etc/" OR "/proc/") AND status=200