CVE-2008-5186

Name of the Vulnerable Software and Affected Versions Generic Syntax Highlighter (GeSHi) versions prior to 1.0.8.1

Description The set language path function in geshi.php might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). This issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate issues would be created for web applications that integrate GeSHi in a way that allows control of the default language path.

Recommendations For versions prior to 1.0.8.1, update to version 1.0.8.1 or later to resolve the issue. As a temporary workaround, consider restricting the influence of crafted inputs on the default language path ($path variable) to minimize the risk of exploitation.