[UNIX] GuppY Directory Traversal and Database Corruption



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



GuppY Directory Traversal and Database Corruption
------------------------------------------------------------------------


SUMMARY

<http://www.freeguppy.org> GuppY is a web portal intentionally designed
to be easy to use for you, the final user. It doesn't require any database
to run.
A remote attacker can overrun the application database with arbitrary
content and perform a directory traversal attack.

DETAILS

Vulnerable Systems:
* GuppY version 4.5.11 and lower

Immune Systems:
* GuppY version 4.5.12

When GuppY is installed with magic_quotes_gpc = Off, a remote attacker can
write arbitrary content to the database via NULL injection in the gp
parameter in dwnld.php
Furthermore, the filter of the parameter can be bypassed by using %2E./
instead of ../ thus allowing directory traversal.

Vulnerable Code:
//dwnld.php
$dnldcounter = ReadDocCounter(DBBASE.$pg);
UpdateDocCounter($pg);

//log.inc
}
WriteDBFields(DBLOGH,$dblog);
}
$tabcounter = CompteVisites(DBIPSTATS, DBSTATS);
if ($tabcounter[0] > 0 && ($tabcounter[0]/10) ==
intval($tabcounter[0]/10)) {
WriteCounter(DBSTATSBK, $tabcounter[0]);
}


//functions.php
function WriteCounter($fic,$DataDB) {
$fhandle = fopen($fic, "w");
fputs($fhandle, $DataDB."\n");
fclose($fhandle);
}


========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [TOOL] sqlmap - Blind SQL Injection Tool
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... sqlmap is an automatic blind SQL injection tool capable to enumerate ... entire remote database, perform an active database fingerprint and much ...
    (Securiteam)
  • [NEWS] Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability ...
    (Securiteam)
  • [NEWS] Default Username/Password Pairs in ON Command CCM 5.x Database Backend
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ON Command CCM ... passwords for local administrators, ... Four default username/password pairs are present in the Sybase database ...
    (Securiteam)
  • [NEWS] Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability ... Oracle Database Server is "a family of database products that range from ... session to execute arbitrary code in the context of the database account. ...
    (Securiteam)
  • [NT] Microsoft JET Multiple Vulnerabilities (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft JET database is "a lightweight database widely used by MS Office ... MSAccess offset for stable jmp edx ...
    (Securiteam)