Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1558113393.18184847.1345561502579.JavaMail.root@redhat.com>
Date: Tue, 21 Aug 2012 11:05:02 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: oss-security@...ts.openwall.com, Benny Baumann <BenBE@...hi.org>,
        Benny Baumann <BenBE@...rphia.de>, Nigel McNie <nigel@...hi.org>
Subject: CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote directory
 traversal and information disclosure in the cssgen contrib module (plus
 possibly XSS, but it needs upstream to confirm)

Hello Kurt, Steve, Ben, Nigel, vendors,

  Issue #A:
  ---------
  A directory traversal and information disclosure
  (local file inclusion) flaws were found in the cssgen
  contrib module (application to generate custom CSS files)
  of GeSHi, a generic syntax highlighter, performed sanitization
  of 'geshi-path' and 'geshi-lang-path' HTTP GET / POST variables.
  A remote attacker could provide a specially-crafted URL that,
  when visited could lead to local file system traversal or,
  potentially, ability to read content of any local file,
  accessible with the privileges of the user running the webserver.

  References:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685324
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=850425

  Upstream patch:
  [3] http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision&revision=2507

  Issue #B:
  ---------
  Then there is a report about non-persistent XSS flaw, that have been
  fixed in the contrib module of 1.0.8.11 version too:
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323

  but I was unable to find the relevant upstream patch (and above Debian BTS
  entry doesn't contain further information too, which could be acted upon).

  Thus I am Cc-in GeSHi upstream to this post to shed the light on the XSS flaw [4].
  
  Ben, Nigel, could you please clarify what was the relevant upstream patch for the
  Debian BTS#685323 / Non-persistent XSS vulnerability in contrib script [4] issue?
  Thank you for that, Jan.

Kurt, once the second issue clarified, could you allocate CVE ids for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.