GuppY dwnld.php pg Variable Arbitrary File Overwrite

2006-03-10T06:02:37
ID OSVDB:23846
Type osvdb
Reporter trueend5(trueend5@kapda ir)
Modified 2006-03-10T06:02:37

Description

Vulnerability Description

Guppy contains a flaw that may allow a remote denial of service. The issue is caused by the improper sanitization of the 'pg' variable in dwnld.php before being used to write a counter value to '.dtb' files. An attacker can overwrite any file with permissions set to 666 via null injection resulting in a loss of availability for the service.

Technical Description

This vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.

Solution Description

Upgrade to version 4.5.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Guppy contains a flaw that may allow a remote denial of service. The issue is caused by the improper sanitization of the 'pg' variable in dwnld.php before being used to write a counter value to '.dtb' files. An attacker can overwrite any file with permissions set to 666 via null injection resulting in a loss of availability for the service.

Manual Testing Notes

http://[target]/guppy/mobile/dwnld.php?pg=./%2E./stats http://[target]/guppy/dwnld.php?pg=./%2E./test.inc%00

References:

Vendor URL: http://www.freeguppy.org/ Security Tracker: 1015753 Secunia Advisory ID:19222 Related OSVDB ID: 23993 Other Advisory URL: http://www.kapda.ir/advisory-291.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0758.html ISS X-Force ID: 25141 FrSIRT Advisory: ADV-2006-0936 CVE-2006-1224 Bugtraq ID: 17068