BID 14752 is not only an XSS vulnerability, the real problem is a directory transversal flaw and affects Guppy versions less than 4.5.6a. PoC (works for versions <4.5.4): http://localhost/printfaq.php?lng=en&pg=/../../../../../../../etc/passwd%00 Explanation of the problem: The code in printfaq.php <4.5.4 reads: if ($pg!="") { include(DBBASE.$pg.INCEXT); If you set $pg to "" you receive an error that PHP can't include the file and the javascript gets executed. This assumes register_globals and display_errors are enabled. You can also set $pg to: "/../../../../../../../etc/passwd%00" and read the password file provided register_globals is enabled and magic_quotes is disabled. In the printfaq.php patch in versions 4.5.4 and 4.5.5 the code reads: $pg = strip_tags($pg); if ($pg!="" && file_exists(DBBASE.$pg.INCEXT)) { include(DBBASE.$pg.INCEXT); strip_tags removes HTML and PHP tags from the string but does not affect directory transversal sequences. $pg is also filtered with the following eregi(): if (@eregi("//|/\*|#|:/|\.\./|document.cookie|/script",$_SERVER["QUERY_STRING"])) { die("Requte non autorise - Request not allowed"); } This only filters GET requests you can still pass in a directory transversal request through $pg via a POST or cookie. Note that the flaw is only vulnerable in versions 4.5.4 and 4.5.5 under EasyGuppy (Guppy for MS Windows) due to the fact that DBBASE is prepended to $pg and DBBASE is set to "data/doc". FreeGuppy does not have any directories under data/ (only data/doc*inc files). Solution: The Guppy maintainer was contacted and released guppy v4.5.6a that fixes this flaw.