A cross-site scripting (XSS) flaw was found in the way 'langwiz' example script of GeSHi, a generic syntax highlighter, performed sanitization of certain HTTP GET / POST request variables (prior dumping their content). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323 Relevant upstream patch (according to clarification by Raphael Geissert in http://www.openwall.com/lists/oss-security/2012/08/21/9): [2] http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision&revision=2508
This issue affects the versions of the php-geshi package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue did NOT affect the versions of the php-geshi package, as shipped with Fedora EPEL 5 and EPEL 6 (as they did not include the vulnerable langwiz.php example script yet).
Created php-geshi tracking bugs for this issue Affects: fedora-all [bug 850435]
The CVE identifier of CVE-2012-3522 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/08/21/11
php-geshi-1.0.8.11-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
php-geshi-1.0.8.11-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.