[24739] in bugtraq
[ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module)
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Mon Mar 18 23:39:02 2002
Date: 18 Mar 2002 23:31:23 -0000
Message-ID: <20020318233123.14430.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A11 ----/----------/+
+/-----------\----- salper@olympos.org ---/-----------/+
Advisory Information
--------------------
Name : Big Sam (Built-In Guestbook Stand-
Alone Module) Multiple Vulnerabilities
Software Package : Big Sam (Built-In Guestbook
Stand-Alone Module)
Vendor Homepage : http://bigsam.gezzed.net/
Vulnerable Versions: v1.1.08 and previous versions
Platforms : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted : 15/03/2002
Vendor Replied : 17/03/2002
Prior Problems : N/A
Current Version : v1.1.09 (immune)
Summary
-------
Big Sam (Built-In Guestbook Stand-Alone Module) is
a PHP3/4 script guestbook which does not use
databases.
It is very simple to set up, very simple to administer,
and very accurate.
A vulnerability exists in Big Sam, which may cause
extreme usage of system resources and may cause
web root path disclosure.
Details
-------
The "bigsam_guestbook.php" where all the
guestbook viewing operations take place, there's an
option to view entries according to their number in
different pages.
This is accomplished by using "$displayBegin"
variable
supplied with integers.
When a user requests a maliciously crafted URL, the
script will run as usual but if the given number is a
really huge one, the system may run out of resources
in time, or if the "safe_mode" option is "ON" in PHP
config of server, the script might prematurely end
giving an error message, including the web root path.
Put many numbers instead of dots in the example
below.
http://site/bigsam_guestbook.php?
displayBegin=9999...9999
If the "safe_mode" option is "ON", a possible error
message like the one below may appear
approximately in 30 seconds depending on server
config.
"Fatal error: Maximum execution time of 30 seconds
exceeded in
home/users/sites/example/bigsam_guestbook.php
on line 16"
This information may be used to aid in
further "intelligent" attacks against the host running
the vulnerable Big Sam guestbook.
Solution
--------
The vendor has verified the existence of the
vulnerebility and fixed this issue in version 1.1.09
I suggested following as a workaround:
Limit the "$displayBegin" variable, or check if the
given post number exists.
Credits
-------
Discovered on 15, March, 2002 by
Ahmet Sabri ALPER
salper@olympos.org
http://www.olympos.org
References
----------
Product Web Page: http://bigsam.gezzed.net/
