Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Nov 2008 20:26:25 -0500 (EST)
From: "Steven M. Christey" <>
Subject: Re: GeSHi: Clarification about the recent security
 (non-)issues (SA32559)

Because it got published in other sources a CVE is needed to track it, but
I agree that this should be regarded as a problem in web apps that use

- Steve

Name: CVE-2008-5186
Status: Candidate
Reference: MLIST:[oss-security] 20081110 GeSHi: Clarification about the recent security (non-)issues (SA32559)
Reference: URL:
Reference: CONFIRM:
Reference: BID:32070
Reference: URL:
Reference: SECUNIA:32559
Reference: URL:
Reference: XF:geshi-unspecified-code-execution(46271)
Reference: URL:


The set_language_path function in geshi.php in Generic Syntax
Highlighter (GeSHi) before might allow remote attackers to
conduct file inclusion attacks via crafted inputs that influence the
default language path ($path variable).  NOTE: this issue has been
disputed by a vendor, stating that only a static value is used, so
this is not a vulnerability in GeSHi. Separate CVE identifiers would
be created for web applications that integrate GeSHi in a way that
allows control of the default language path.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.