[ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities

2002-03-19T00:00:00
ID SECURITYVULNS:DOC:2648
Type securityvulns
Reporter Securityvulns
Modified 2002-03-19T00:00:00

Description

+/--------\-------- ALPER Research Labs ------/--------/+

+/---------\------- Security Advisory -----/---------/+

+/----------\------ ID: ARL02-A11 ----/----------/+

+/-----------\----- salper@olympos.org ---/-----------/+

Advisory Information


Name : Big Sam (Built-In Guestbook Stand-

Alone Module) Multiple Vulnerabilities

Software Package : Big Sam (Built-In Guestbook

Stand-Alone Module)

Vendor Homepage : http://bigsam.gezzed.net/

Vulnerable Versions: v1.1.08 and previous versions

Platforms : PHP Dependent

Vulnerability Type : Input Validation Error

Vendor Contacted : 15/03/2002

Vendor Replied : 17/03/2002

Prior Problems : N/A

Current Version : v1.1.09 (immune)

Summary


Big Sam (Built-In Guestbook Stand-Alone Module) is

a PHP3/4 script guestbook which does not use

databases.

It is very simple to set up, very simple to administer,

and very accurate.

A vulnerability exists in Big Sam, which may cause

extreme usage of system resources and may cause

web root path disclosure.

Details


The "bigsam_guestbook.php" where all the

guestbook viewing operations take place, there's an

option to view entries according to their number in

different pages.

This is accomplished by using "$displayBegin"

variable

supplied with integers.

When a user requests a maliciously crafted URL, the

script will run as usual but if the given number is a

really huge one, the system may run out of resources

in time, or if the "safe_mode" option is "ON" in PHP

config of server, the script might prematurely end

giving an error message, including the web root path.

Put many numbers instead of dots in the example

below.

http://site/bigsam_guestbook.php?

displayBegin=9999...9999

If the "safe_mode" option is "ON", a possible error

message like the one below may appear

approximately in 30 seconds depending on server

config.

"Fatal error: Maximum execution time of 30 seconds

exceeded in

home/users/sites/example/bigsam_guestbook.php

on line 16"

This information may be used to aid in

further "intelligent" attacks against the host running

the vulnerable Big Sam guestbook.

Solution


The vendor has verified the existence of the

vulnerebility and fixed this issue in version 1.1.09

I suggested following as a workaround:

Limit the "$displayBegin" variable, or check if the

given post number exists.

Credits


Discovered on 15, March, 2002 by

Ahmet Sabri ALPER

salper@olympos.org

http://www.olympos.org

References


Product Web Page: http://bigsam.gezzed.net/