SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   GuppY Vendors:   Duveau, Laurent
GuppY Input Validation Flaw in 'dwnld.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015753
SecurityTracker URL:  http://securitytracker.com/id/1015753
CVE Reference:   CVE-2006-1224   (Links to External Site)
Updated:  Jan 30 2007
Original Entry Date:  Mar 10 2006
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.5.11 and prior versions
Description:   A vulnerability was reported in GuppY. A remote user can overwrite and destroy files on the target system.

The in 'dwnld.php' script does not properly validate user-supplied input. If magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to overwrite files on the target system.

A demonstration exploit URL that will overwrite the 'stats.dtb' file with '1' is provided:

http://[target]/guppy/mobile/dwnld.php?pg=./%2E./stats

http://[target]/guppy/dwnld.php?pg=./%2E./test.inc%00

trueend5 discovered this vulnerability.

The original advisory is available at:

http://www.kapda.ir/advisory-291.html

http://irannetjob.com/content/view/204/28/

Impact:   A remote user can overwrite files on the target system.
Solution:   The vendor has issued a fixed version (4.5.12), available at:

http://www.freeguppy.org/download.php?lng=fr

Vendor URL:  www.freeguppy.org/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [KAPDA::#33] - GuppY <= 4.5.11 Remote DoS vulnerability

KAPDA New advisory

Vendor: http://www.freeguppy.org
Vulnerable: <= 4.5.11
Bug: Destroy database files (Remote DoS vulnerability)
Exploitation: Remote with browser
Exploit: available

Description:
--------------------
GuppY is a web portal intentionaly designed to be easy
to use for you, 
the final user. It doesn't require any database to
run. It allows you 
to create quickly and without any technical knowledge,
a complete and 
interactive website.
 
Vulnerability:
--------------------

There is a high risk vulnerability in guppy <= 4.5.11
in 'dwnld.php'pages that may 
allow remote attackers to destroy database files.(With
magic_quotes_gpc = Off 
,Its possible to destroy any file that chmoded 666 via
null injection).
Furthermore, directory traversal filter bypassing,
using 
%2E./ instead of ../

Demonstration URL:
--------------------
http://example.com/guppy/mobile/dwnld.php?pg=./%2E./stats
will replace content of stats.dtb with "1"
Or
http://example.com/guppy/dwnld.php?pg=./%2E./test.inc%00

Code Snippets:
--------------------
//dwnld.php
$dnldcounter = ReadDocCounter(DBBASE.$pg);
  UpdateDocCounter($pg);

//log.inc
}
  WriteDBFields(DBLOGH,$dblog);
}
$tabcounter = CompteVisites(DBIPSTATS, DBSTATS);
if ($tabcounter[0] > 0 && ($tabcounter[0]/10) ==
intval($tabcounter[0]/10)) {
  WriteCounter(DBSTATSBK, $tabcounter[0]);
}


//functions.php
function WriteCounter($fic,$DataDB) {
  $fhandle = fopen($fic, "w");
  fputs($fhandle, $DataDB."\n");
  fclose($fhandle);
}
.
.
.
function WriteDBFields($fic,$Fields) {
  $fhandle = fopen($fic, "w");
  $DataDB = "";
  for ($i = 0; $i < count($Fields); $i++) {
    for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
      $DataDB .= trim($Fields[$i][$j]).CONNECTOR;
    }
    $DataDB .=
trim($Fields[$i][count($Fields[$i])-1])."\n";
  }
  fputs($fhandle, $DataDB);
  fclose($fhandle);
}
.
.
.
function ReadDocCounter($dirid) {
  $DataDB = ReadCounter($dirid.DBEXT);
  return $DataDB;
}

function WriteDocCounter($dirid,$DataDB) {
  WriteCounter($dirid.DBEXT,$DataDB);
}

function UpdateDocCounter($id) {
  $DataDB = ReadDocCounter(DBBASE.$id);
  $vote = DejaVote(DBIPBASE.$id.DBEXT,300);
  if ($vote[0] == false) {
    $DataDB++;
    WriteDocCounter(DBBASE.$id,$DataDB);
  }
  return $DataDB;
}

More details with Exploit:
--------------------
http://www.kapda.ir/advisory-291.html
In Farsi: http://irannetjob.com/content/view/204/28/

Solution:
--------------------
Upgrade to new version 4.5.12

Credit :
--------------------
Discovered by trueend5 (trueend5 kapda ir)
Computer Security Science Researchers Institute
[http://www.KAPDA.ir] 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC