Summary
The remote web server contains a PHP script that allows for arbitrary code execution and cross-site scripting attacks.
Description :
The remote host is running Guppy, a CMS written in PHP.
The remote version of this software does not properly sanitize input to the Referer and User-Agent HTTP headers before using it in the 'error.php' script. A malicious user can exploit this flaw to inject arbitrary script and HTML code into a user's browser or, if PHP's 'magic_quotes_gpc' seting is disabled, PHP code to be executed on the remote host subject to the privileges of the web server user id.
Solution
Upgrade to Guppy version 4.5.4 or later.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2005-2853 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Adobe ColdFusion Unspecified Information Disclosure Vulnerability
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
- Apache Tomcat source.jsp malformed request information disclosure
- 3Com NBX VoIP NetSet Detection