oss-sec mailing list archives
Re: GeSHi: Clarification about the recent security (non-)issues (SA32559)
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 11 Nov 2008 10:59:07 +0100
Hi Christian! On Mon, 10 Nov 2008 19:04:08 +0100 Christian Hoffmann <hoffie () gentoo org> wrote:
These are just my findings after having a quick look at the code, and I thought I'd shared them, just in case someone wondered (and please protest, if you think I'm wrong).
Thanks for posting your finding!
JFYI: Dokuwiki and phpBB are examples of software packages, which bundle GeSHi. Dokuwiki passes a static string to the mentioned $path parameter and is not vulnerable as such. I haven't checked phpBB.
pgfouine too, but it does not override default language files path at all (set_language_path is only called with $path == ''). -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- GeSHi: Clarification about the recent security (non-)issues (SA32559) Christian Hoffmann (Nov 10)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Tomas Hoger (Nov 11)
- CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Nico Golde (Nov 20)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Steven M. Christey (Nov 20)