[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 20 Nov 2008 20:26:25 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: mail@...ianw.de
Subject: Re: GeSHi: Clarification about the recent security
(non-)issues (SA32559)
Because it got published in other sources a CVE is needed to track it, but
I agree that this should be regarded as a problem in web apps that use
GeSHi.
- Steve
======================================================
Name: CVE-2008-5186
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5186
Reference: MLIST:[oss-security] 20081110 GeSHi: Clarification about the recent security (non-)issues (SA32559)
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/8
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=637321
Reference: BID:32070
Reference: URL:http://www.securityfocus.com/bid/32070
Reference: SECUNIA:32559
Reference: URL:http://secunia.com/advisories/32559
Reference: XF:geshi-unspecified-code-execution(46271)
Reference: URL:http://xforce.iss.net/xforce/xfdb/46271
** DISPUTED **
The set_language_path function in geshi.php in Generic Syntax
Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to
conduct file inclusion attacks via crafted inputs that influence the
default language path ($path variable). NOTE: this issue has been
disputed by a vendor, stating that only a static value is used, so
this is not a vulnerability in GeSHi. Separate CVE identifiers would
be created for web applications that integrate GeSHi in a way that
allows control of the default language path.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux