Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 20 Nov 2008 13:04:49 +0100
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Cc: toots@...tageeks.org
Subject: CVE id request: another geshi issue (was: GeSHi: Clarification about the recent security (non-)issues (SA32559))

Hi,
* Christian Hoffmann <hoffie@...too.org> [2008-11-10 19:09]:
> I was reading up on Secunia Advisory 32559 [1] and the related upstream
> statement [2] and ChangeLog [3] and well, it left me with some mixed
> impressions, what's true and what not, so I took a closer look.
[...] 
A more important issue has been silently fixed as well. Unfortunately 
I can not find a public reference or a changelog entry to it. 
A user can get geshi into an infinite loop and thus causing 
a DoS (php process will eat a lot CPU) by highlighting a 
crafted xml sequence. As a PoC '<' works.

The upstream fix for this is 
http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/geshi.php?r1=1321&r2=1322&view=patch

Let me explain a little.
geshi.php:
   1520         $code = "\n" . $code . "\n";
    ..
   1523         $length           = strlen($code);
    ..
   1545             for ($i = 0; $i < $length; ++$i) {
   1546                 foreach ($this->language_data['SCRIPT_DELIMITERS'] as $delimiters) {
   1547                     foreach ($delimiters as $open => $close) {
   1548                         // Get the next little bit for this opening string
   1549                         $open_strlen = strlen($open);
   1550                         $check = substr($code, $i, $open_strlen);
   1551                         // If it matches...
   1552                         if ($check == $open) {
    ..
   1556                             $parts[$k][0] = $open;
   1557                             $close_i = strpos($code, $close, $i + $open_strlen)  + strlen($close);
   1558                             if ($close_i === false) {
   1559                                 $close_i = $length - 1;
   1560                             }
    ..
   1562                             $i = $close_i - 1;
    ..
   1569                         }
   1570                     }
   1571                 }

$this->language_data['SCRIPT_DELIMITERS'] is defined as an array of arrays that
holds start and end tags, in the case for xml this is holds a tuple ('<', '>')
and assigns them to $open and $close.

For < in line 1557 strpos will fail resulting in false because there is no
close tag.  Adding strlen($close) to it will result in $close_i being 1. In
line 1562 $i will be set $close_i - 1 resulting in 1 being 0. Loop starts again
and $i is 1 again -> infinite loop.

Steve, can you assign a CVE id to this? This should affect every version < 1.0.8.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux