CVE-2007-5844

Name of the Vulnerable Software and Affected Versions GuppY version 4.6.3

Description A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This can be achieved by using a .. (dot dot) in the selskin parameter to "index.php". The issue can also be leveraged for remote file inclusion by including "inc/boxleft.inc" and specifying a URL in the xposbox[L][] array parameter.

Recommendations For GuppY version 4.6.3, consider restricting access to the selskin parameter in "index.php" and avoid using the xposbox[L][] array parameter until a fix is available. As a temporary workaround, consider disabling the inclusion of "inc/boxleft.inc" to minimize the risk of exploitation.