oss-sec mailing list archives
GeSHi: Clarification about the recent security (non-)issues (SA32559)
From: Christian Hoffmann <hoffie () gentoo org>
Date: Mon, 10 Nov 2008 19:04:08 +0100
Heya, I was reading up on Secunia Advisory 32559 [1] and the related upstream statement [2] and ChangeLog [3] and well, it left me with some mixed impressions, what's true and what not, so I took a closer look. The facts: * Secunia says: "unspecified error, which may allow execution of arbitrary code" * Upstream's ChangeLog [3] says: "Fixed a problem allowing Remote Code Inclusion under certain circumstances (BenBE)" * Upstream's news entry [2] says that the exploitation of this issue requires that an attacker already has access to the system So, with little concrete information being available, I took a look at the diff [4]. As I understand it, a function (set_language_path()) did not check the parameter, which it got passed, which made it possible to inject data into a string, which would later be used by "include" or a similar construct. This would allow for using certain stream wrappers like http:// or php:// to load user-supplied data as PHP code. So, *if* a user has the possibility to pass a crafted string to set_language_path(), this might allow for later remote (PHP) code execution. GeSHi calls this function in its constructor with the passed $path argument, which is not untrusted per-se. So GeSHi alone does not make this a vulnerability. Webapps could pass user-supplied data to this parameter, but this sounds unlikely (and not that smart...). So if at all, I'd consider this a vulnerability in a web app, which passes user-supplied input to this parameter. These are just my findings after having a quick look at the code, and I thought I'd shared them, just in case someone wondered (and please protest, if you think I'm wrong). JFYI: Dokuwiki and phpBB are examples of software packages, which bundle GeSHi. Dokuwiki passes a static string to the mentioned $path parameter and is not vulnerable as such. I haven't checked phpBB. [1] http://secunia.com/advisories/32559/ [2] http://qbnz.com/highlighter/news.php?id=119 [3] http://sourceforge.net/project/shownotes.php?release_id=637321 [4] http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/geshi.php?r1=1747&r2=1750 -- Christian Hoffmann
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- GeSHi: Clarification about the recent security (non-)issues (SA32559) Christian Hoffmann (Nov 10)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Tomas Hoger (Nov 11)
- CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Nico Golde (Nov 20)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Steven M. Christey (Nov 20)