GuppY printfaq.php pg Variable Traversal Arbitrary File Access

2005-09-06T07:08:30
ID OSVDB:19242
Type osvdb
Reporter Josh Zlatin-Amishav(josh@tkos.co.il)
Modified 2005-09-06T07:08:30

Description

Vulnerability Description

GuppY contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the 'printfaq.php' script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'pg' variable.

Solution Description

Upgrade to version 4.5.6a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

GuppY contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the 'printfaq.php' script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'pg' variable.

Manual Testing Notes

http://[target]/printfaq.php?lng=en&pg=/../../../../../../../etc/passwd%00

References:

Vendor URL: http://www.freeguppy.org/?lng=en Secunia Advisory ID:16707 Related OSVDB ID: 19243 Other Advisory URL: http://www.frsirt.com/bulletins/1891 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0362.html CVE-2005-3156