Direct static code injection vulnerability in error.php in GuppY 4.5.9 and previous versions, when register_globals is disabled, allows remote malicious users to execute arbitrary PHP code via the _SERVER[REMOTE_ADDR] parameter, which is injected into a .inc script that is later included by the main script.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
guppy guppy 4.5.9 |
||
guppy guppy 4.5 |
||
guppy guppy 4.5.3 |
||
guppy guppy 4.5.3a |
||
guppy guppy 4.5.4 |