Guppy Request Header Injection Vulnerabilities (CVE-2005-2853)

The remote web server contains a PHP script that allows for arbitrary code execution and cross-site scripting attacks. Description : The remote host is running Guppy, a CMS written in PHP. The remote version of this software does not properly sanitize input to the Referer and User-Agent HTTP headers before using it in the error.php script. A malicious user can exploit this flaw to inject arbitrary script and HTML code into a users browser or, if PHPs magic_quotes_gpc setting is disabled, PHP code to be executed on the remote host subject to the privileges of the web server user id.

远程网络服务器中包含一个 PHP 脚本，该脚本允许执行任意代码以及跨站脚本攻击。描述如下：远程主机正在运行 Guppy，这是一个用 PHP 编写的内容管理系统。该软件的远程版本在错误.php 脚本中使用 Referer 和 User-Agent HTTP 头部之前，未能对输入进行适当的净化。恶意用户可以利用这一漏洞向用户的浏览器注入任意的脚本和 HTML 代码，或者在 PHP 的 magic_quotes_gpc 设置被禁用的情况下，在远程主机上执行 PHP 代码，该代码将受到 Web 服务器用户 ID 的权限限制。