oss-sec mailing list archives
CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559))
From: Nico Golde <oss-security+ml () ngolde de>
Date: Thu, 20 Nov 2008 13:04:49 +0100
Hi, * Christian Hoffmann <hoffie () gentoo org> [2008-11-10 19:09]:
I was reading up on Secunia Advisory 32559 [1] and the related upstream statement [2] and ChangeLog [3] and well, it left me with some mixed impressions, what's true and what not, so I took a closer look.
[...] A more important issue has been silently fixed as well. Unfortunately I can not find a public reference or a changelog entry to it. A user can get geshi into an infinite loop and thus causing a DoS (php process will eat a lot CPU) by highlighting a crafted xml sequence. As a PoC '<' works. The upstream fix for this is http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/geshi.php?r1=1321&r2=1322&view=patch Let me explain a little. geshi.php: 1520 $code = "\n" . $code . "\n"; .. 1523 $length = strlen($code); .. 1545 for ($i = 0; $i < $length; ++$i) { 1546 foreach ($this->language_data['SCRIPT_DELIMITERS'] as $delimiters) { 1547 foreach ($delimiters as $open => $close) { 1548 // Get the next little bit for this opening string 1549 $open_strlen = strlen($open); 1550 $check = substr($code, $i, $open_strlen); 1551 // If it matches... 1552 if ($check == $open) { .. 1556 $parts[$k][0] = $open; 1557 $close_i = strpos($code, $close, $i + $open_strlen) + strlen($close); 1558 if ($close_i === false) { 1559 $close_i = $length - 1; 1560 } .. 1562 $i = $close_i - 1; .. 1569 } 1570 } 1571 } $this->language_data['SCRIPT_DELIMITERS'] is defined as an array of arrays that holds start and end tags, in the case for xml this is holds a tuple ('<', '>') and assigns them to $open and $close. For < in line 1557 strpos will fail resulting in false because there is no close tag. Adding strlen($close) to it will result in $close_i being 1. In line 1562 $i will be set $close_i - 1 resulting in 1 being 0. Loop starts again and $i is 1 again -> infinite loop. Steve, can you assign a CVE id to this? This should affect every version < 1.0.8. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- GeSHi: Clarification about the recent security (non-)issues (SA32559) Christian Hoffmann (Nov 10)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Tomas Hoger (Nov 11)
- CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Nico Golde (Nov 20)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Steven M. Christey (Nov 20)