Guppy Request Header Injection Vulnerabilities

The remote web server contains a PHP script that allows for arbitrary code execution and cross-site scripting attacks. Description : The remote host is running Guppy, a CMS written in PHP. The remote version of this software does not properly sanitize input to the Referer and User-Agent HTTP headers before using it in the 'error.php' script. A malicious user can exploit this flaw to inject arbitrary script and HTML code into a user's browser or, if PHP's 'magic_quotes_gpc' setting is disabled, PHP code to be executed on the remote host subject to the privileges of the web server user id.

Upgrade to Guppy version 4.5.4 or later.