OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Mon Mar 18 2002 - 17:31:23 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A11 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : Big Sam (Built-In Guestbook Stand-
    Alone Module) Multiple Vulnerabilities
    Software Package : Big Sam (Built-In Guestbook
    Stand-Alone Module)
    Vendor Homepage : http://bigsam.gezzed.net/
    Vulnerable Versions: v1.1.08 and previous versions
    Platforms : PHP Dependent
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 15/03/2002
    Vendor Replied : 17/03/2002
    Prior Problems : N/A
    Current Version : v1.1.09 (immune)


    Summary
    -------
    Big Sam (Built-In Guestbook Stand-Alone Module) is
    a PHP3/4 script guestbook which does not use
    databases.
    It is very simple to set up, very simple to administer,
    and very accurate.

    A vulnerability exists in Big Sam, which may cause
    extreme usage of system resources and may cause
    web root path disclosure.


    Details
    -------
    The "bigsam_guestbook.php" where all the
    guestbook viewing operations take place, there's an
    option to view entries according to their number in
    different pages.
    This is accomplished by using "$displayBegin"
    variable
    supplied with integers.

    When a user requests a maliciously crafted URL, the
    script will run as usual but if the given number is a
    really huge one, the system may run out of resources
    in time, or if the "safe_mode" option is "ON" in PHP
    config of server, the script might prematurely end
    giving an error message, including the web root path.

    Put many numbers instead of dots in the example
    below.
    http://site/bigsam_guestbook.php?
    displayBegin=9999...9999

    If the "safe_mode" option is "ON", a possible error
    message like the one below may appear
    approximately in 30 seconds depending on server
    config.

    "Fatal error: Maximum execution time of 30 seconds
    exceeded in
    home/users/sites/example/bigsam_guestbook.php
    on line 16"

    This information may be used to aid in
    further "intelligent" attacks against the host running
    the vulnerable Big Sam guestbook.


    Solution
    --------
    The vendor has verified the existence of the
    vulnerebility and fixed this issue in version 1.1.09

    I suggested following as a workaround:
    Limit the "$displayBegin" variable, or check if the
    given post number exists.


    Credits
    -------
    Discovered on 15, March, 2002 by
    Ahmet Sabri ALPER
    salperolympos.org
    http://www.olympos.org


    References
    ----------
    Product Web Page: http://bigsam.gezzed.net/