[wp-hackers] [daniel.leidert.spam@gmx.net: Debian Wordpresspackage exploitable by GeSHi local PHP file inclusion?]

[Amit Gupta]

Robert Deaton <false.hopes at gmail.com> wrote:
|  This looks like a problem with Geshi, which is apparently a mod for
|  WordPress that adds some sort of syntax highlighting, and is 
unrelated
|  to WordPress itself since Geshi is vunerable on multiple platforms.

this is indeed GeSHi's problem & those who use GeSHi as it is are 
affected
by it. My plugin iG:Syntax Hiliter isn't affected by it as the bug is in 
the
'./contrib/example.php' file. This whole directory is not included in 
the plugin
ZIP and doesn't need to be present on a webserver for GeSHi to be
operational. So those who are not simply the types of "upload everything 
in
the ZIP, no matter if you use it or not" won't possibly suffer from this 
bug.

I've however sent this bug to the Nigel(GeSHi developer) who'll look 
further
into it to see whether this bug extends to the GeSHi core.



Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
|  GeSHi is a generic syntax hilighter as far as I could tell when this
|  came up on the support forums yesterday.
|
|  There is at least one plugin that uses it that _may_ be affected:
|  http://dev.wp-plugins.org/wiki/GeshiSyntaxColorer

no, that plugin is also not affected as far as I can say as that also 
doesn't
include the 'contrib' directory in the plugin-package

------------
Amit Gupta
http://igeek.info/  ||  http://blog.igeek.info/
http://blog.igeek.info/wp-plugins/igsyntax-hiliter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050930/57dc0c51/attachment.htm