oss-sec mailing list archives
Re: GeSHi: Clarification about the recent security (non-)issues (SA32559)
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 20 Nov 2008 20:26:25 -0500 (EST)
Because it got published in other sources a CVE is needed to track it, but I agree that this should be regarded as a problem in web apps that use GeSHi. - Steve ====================================================== Name: CVE-2008-5186 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5186 Reference: MLIST:[oss-security] 20081110 GeSHi: Clarification about the recent security (non-)issues (SA32559) Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/8 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=637321 Reference: BID:32070 Reference: URL:http://www.securityfocus.com/bid/32070 Reference: SECUNIA:32559 Reference: URL:http://secunia.com/advisories/32559 Reference: XF:geshi-unspecified-code-execution(46271) Reference: URL:http://xforce.iss.net/xforce/xfdb/46271 ** DISPUTED ** The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path.
Current thread:
- GeSHi: Clarification about the recent security (non-)issues (SA32559) Christian Hoffmann (Nov 10)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Tomas Hoger (Nov 11)
- CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Nico Golde (Nov 20)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Steven M. Christey (Nov 20)
