Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-5186

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-5186
Last Modified 11 Aug 2009 01:19:29
Published 20 Nov 2008 09:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-5186

Summary

** DISPUTED ** The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path.

Vulnerable Systems

Application

  • Geshi 1.0.0

  • Geshi 1.0.1

  • Geshi 1.0.2

  • Geshi 1.0.2 Beta 1

  • Geshi 1.0.3

  • Geshi 1.0.4

  • Geshi 1.0.5

  • Geshi 1.0.6

  • Geshi 1.0.7

  • Geshi 1.0.7.1

  • Geshi 1.0.7.10

  • Geshi 1.0.7.11

  • Geshi 1.0.7.12

  • Geshi 1.0.7.13

  • Geshi 1.0.7.14

  • Geshi 1.0.7.15

  • Geshi 1.0.7.16

  • Geshi 1.0.7.17

  • Geshi 1.0.7.18

  • Geshi 1.0.7.19

  • Geshi 1.0.7.2

  • Geshi 1.0.7.20

  • Geshi 1.0.7.21

  • Geshi 1.0.7.22

  • Geshi 1.0.7.3

  • Geshi 1.0.7.4

  • Geshi 1.0.7.5

  • Geshi 1.0.7.6

  • Geshi 1.0.7.7

  • Geshi 1.0.7.8

  • Geshi 1.0.7.9

  • Geshi 1.0.8


References

BID - 32070

CONFIRM - http://sourceforge.net/project/shownotes.php?release_id=637321

XF - geshi-unspecified-code-execution(46271)

MLIST - [oss-security] 20081110 GeSHi: Clarification about the recent security (non-)issues (SA32559)

SECUNIA - 32559

OSVDB - 49488


Last Updated: 27 May 2016 10:48:44