Vulners
Lucene search
guppyDoS.txt
`KAPDA New advisory
Vendor: http://www.freeguppy.org
Vulnerable: <= 4.5.11
Bug: Destroy database files (Remote DoS vulnerability)
Exploitation: Remote with browser
Exploit: available
Description:
--------------------
GuppY is a web portal intentionaly designed to be easy
to use for you,
the final user. It doesn't require any database to
run. It allows you
to create quickly and without any technical knowledge,
a complete and
interactive website.
Vulnerability:
--------------------
There is a high risk vulnerability in guppy <= 4.5.11
in 'dwnld.php'pages that may
allow remote attackers to destroy database files.(With
magic_quotes_gpc = Off
,Its possible to destroy any file that chmoded 666 via
null injection).
Furthermore, directory traversal filter bypassing,
using
%2E./ instead of ../
Demonstration URL:
--------------------
http://example.com/guppy/mobile/dwnld.php?pg=./%2E./stats
will replace content of stats.dtb with "1"
Or
http://example.com/guppy/dwnld.php?pg=./%2E./test.inc%00
Code Snippets:
--------------------
//dwnld.php
$dnldcounter = ReadDocCounter(DBBASE.$pg);
UpdateDocCounter($pg);
//log.inc
}
WriteDBFields(DBLOGH,$dblog);
}
$tabcounter = CompteVisites(DBIPSTATS, DBSTATS);
if ($tabcounter[0] > 0 && ($tabcounter[0]/10) ==
intval($tabcounter[0]/10)) {
WriteCounter(DBSTATSBK, $tabcounter[0]);
}
//functions.php
function WriteCounter($fic,$DataDB) {
$fhandle = fopen($fic, "w");
fputs($fhandle, $DataDB."\n");
fclose($fhandle);
}
.
.
.
function WriteDBFields($fic,$Fields) {
$fhandle = fopen($fic, "w");
$DataDB = "";
for ($i = 0; $i < count($Fields); $i++) {
for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
$DataDB .= trim($Fields[$i][$j]).CONNECTOR;
}
$DataDB .=
trim($Fields[$i][count($Fields[$i])-1])."\n";
}
fputs($fhandle, $DataDB);
fclose($fhandle);
}
.
.
.
function ReadDocCounter($dirid) {
$DataDB = ReadCounter($dirid.DBEXT);
return $DataDB;
}
function WriteDocCounter($dirid,$DataDB) {
WriteCounter($dirid.DBEXT,$DataDB);
}
function UpdateDocCounter($id) {
$DataDB = ReadDocCounter(DBBASE.$id);
$vote = DejaVote(DBIPBASE.$id.DBEXT,300);
if ($vote[0] == false) {
$DataDB++;
WriteDocCounter(DBBASE.$id,$DataDB);
}
return $DataDB;
}
More details with Exploit:
--------------------
http://www.kapda.ir/advisory-291.html
In Farsi: http://irannetjob.com/content/view/204/28/
Solution:
--------------------
Upgrade to new version 4.5.12
Credit :
--------------------
Discovered by trueend5 (trueend5 kapda ir)
Computer Security Science Researchers Institute
[http://www.KAPDA.ir]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Mar 2006 00:00Current
7.4High risk
Vulners AI Score7.4