[wp-hackers] [daniel.leidert.spam@gmx.net: Debian Wordpresspackage exploitable by GeSHi local PHP file inclusion?]

Amit Gupta wp at igeek.info
Fri Sep 30 07:10:48 GMT 2005

Robert Deaton <false.hopes at gmail.com> wrote:
|  This looks like a problem with Geshi, which is apparently a mod for
|  WordPress that adds some sort of syntax highlighting, and is 
|  to WordPress itself since Geshi is vunerable on multiple platforms.

this is indeed GeSHi's problem & those who use GeSHi as it is are 
by it. My plugin iG:Syntax Hiliter isn't affected by it as the bug is in 
'./contrib/example.php' file. This whole directory is not included in 
the plugin
ZIP and doesn't need to be present on a webserver for GeSHi to be
operational. So those who are not simply the types of "upload everything 
the ZIP, no matter if you use it or not" won't possibly suffer from this 

I've however sent this bug to the Nigel(GeSHi developer) who'll look 
into it to see whether this bug extends to the GeSHi core.

Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
|  GeSHi is a generic syntax hilighter as far as I could tell when this
|  came up on the support forums yesterday.
|  There is at least one plugin that uses it that _may_ be affected:
|  http://dev.wp-plugins.org/wiki/GeshiSyntaxColorer

no, that plugin is also not affected as far as I can say as that also 
include the 'contrib' directory in the plugin-package

Amit Gupta
http://igeek.info/  ||  http://blog.igeek.info/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050930/57dc0c51/attachment.htm

More information about the wp-hackers mailing list