oss-sec mailing list archives

GeSHi: Clarification about the recent security (non-)issues (SA32559)

From: Christian Hoffmann <hoffie () gentoo org>
Date: Mon, 10 Nov 2008 19:04:08 +0100

Heya,

I was reading up on Secunia Advisory 32559 [1] and the related upstream
statement [2] and ChangeLog [3] and well, it left me with some mixed
impressions, what's true and what not, so I took a closer look.

The facts:
  * Secunia says: "unspecified error, which may allow execution of
        arbitrary code"
  * Upstream's ChangeLog [3] says: "Fixed a problem allowing Remote
        Code Inclusion under certain circumstances (BenBE)"
  * Upstream's news entry [2] says that the exploitation of
    this issue requires that an attacker already has access to the
    system

So, with little concrete information being available, I took a look at
the diff [4]. As I understand it, a function (set_language_path()) did
not check the parameter, which it got passed, which made it possible to
inject data into a string, which would later be used by "include" or a
similar construct. This would allow for using certain stream wrappers
like http:// or php:// to load user-supplied data as PHP code.
So, *if* a user has the possibility to pass a crafted string to
set_language_path(), this might allow for later remote (PHP) code execution.
GeSHi calls this function in its constructor with the passed $path
argument, which is not untrusted per-se. So GeSHi alone does not make
this a vulnerability.
Webapps could pass user-supplied data to this parameter, but this sounds
unlikely (and not that smart...). So if at all, I'd consider this a
vulnerability in a web app, which passes user-supplied input to this
parameter.

These are just my findings after having a quick look at the code, and I
thought I'd shared them, just in case someone wondered (and please
protest, if you think I'm wrong).

JFYI: Dokuwiki and phpBB are examples of software packages, which bundle
GeSHi. Dokuwiki passes a static string to the mentioned $path parameter
and is not vulnerable as such. I haven't checked phpBB.


[1] http://secunia.com/advisories/32559/
[2] http://qbnz.com/highlighter/news.php?id=119
[3] http://sourceforge.net/project/shownotes.php?release_id=637321
[4]
http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/geshi.php?r1=1747&r2=1750
-- 
Christian Hoffmann

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

GeSHi: Clarification about the recent security (non-)issues (SA32559) Christian Hoffmann (Nov 10)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Tomas Hoger (Nov 11)
- CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Nico Golde (Nov 20)
  - Re: CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Steven M. Christey (Nov 20)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Steven M. Christey (Nov 20)