CVE-2007-0639

Name of the Vulnerable Software and Affected Versions GuppY versions 4.5.16 and earlier

Description The issue allows remote attackers to inject arbitrary PHP code into a .inc file in the data/ directory. This can be achieved via a REMOTE ADDR cookie or a cookie specifying an element of the msg array with an error number in the first dimension and 0 in the second dimension. For example, msg[999][0] can be used to demonstrate this issue.

Recommendations For GuppY versions 4.5.16 and earlier, update to a version later than 4.5.16 to resolve the issue. As a temporary workaround, consider restricting access to the error.php file and the data/ directory to minimize the risk of exploitation. Avoid using the msg array with user-supplied input in the error.php file until the issue is resolved.