guppyTraverse.txt

`BID 14752 is not only an XSS vulnerability, the real problem is a directory  
transversal flaw and affects Guppy versions less than 4.5.6a.  
  
PoC (works for versions <4.5.4):  
http://localhost/printfaq.php?lng=en&pg=/../../../../../../../etc/passwd%00  
  
Explanation of the problem:  
  
The code in printfaq.php <4.5.4 reads:  
  
if ($pg!="") {  
include(DBBASE.$pg.INCEXT);  
  
If you set $pg to "<script>alert(XSS></script>" you receive an error that  
PHP can't include the file and the javascript gets executed. This assumes  
register_globals and display_errors are enabled. You can also set $pg to:  
"/../../../../../../../etc/passwd%00" and read the password file  
provided register_globals is enabled and magic_quotes is disabled.  
  
In the printfaq.php patch in versions 4.5.4 and 4.5.5 the code reads:  
$pg = strip_tags($pg);  
  
if ($pg!="" && file_exists(DBBASE.$pg.INCEXT)) {  
include(DBBASE.$pg.INCEXT);  
  
strip_tags removes HTML and PHP tags from the string but does not affect  
directory transversal sequences. $pg is also filtered with the following  
eregi():  
if  
(@eregi("//|/\*|#|:/|\.\./|document.cookie|/script",$_SERVER["QUERY_STRING"]))   
{  
die("Requ<EA>te non autoris<E9>e - Request not allowed");  
}  
  
This only filters GET requests you can still pass in a directory  
transversal request through $pg via a POST or cookie.  
  
Note that the flaw is only vulnerable in versions 4.5.4 and 4.5.5 under  
EasyGuppy (Guppy for MS Windows) due to the fact that DBBASE is prepended to  
$pg and DBBASE is set to "data/doc". FreeGuppy does not have any directories  
under data/ (only data/doc*inc files).  
  
Solution:  
The Guppy maintainer was contacted and released guppy v4.5.6a that fixes this flaw.  
`