[ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Mon Mar 18 2002 - 15:31:23 PST

Next message: Manuel Kiessling: "Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability"

Previous message: Crist J. Clark: "TCP Connections to a Broadcast Address on BSD-Based Systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A11 ----/----------/+ +/-----------\----- salperat_private ---/-----------/+ Advisory Information -------------------- Name : Big Sam (Built-In Guestbook Stand- Alone Module) Multiple Vulnerabilities Software Package : Big Sam (Built-In Guestbook Stand-Alone Module) Vendor Homepage : http://bigsam.gezzed.net/ Vulnerable Versions: v1.1.08 and previous versions Platforms : PHP Dependent Vulnerability Type : Input Validation Error Vendor Contacted : 15/03/2002 Vendor Replied : 17/03/2002 Prior Problems : N/A Current Version : v1.1.09 (immune) Summary ------- Big Sam (Built-In Guestbook Stand-Alone Module) is a PHP3/4 script guestbook which does not use databases. It is very simple to set up, very simple to administer, and very accurate. A vulnerability exists in Big Sam, which may cause extreme usage of system resources and may cause web root path disclosure. Details ------- The "bigsam_guestbook.php" where all the guestbook viewing operations take place, there's an option to view entries according to their number in different pages. This is accomplished by using "$displayBegin" variable supplied with integers. When a user requests a maliciously crafted URL, the script will run as usual but if the given number is a really huge one, the system may run out of resources in time, or if the "safe_mode" option is "ON" in PHP config of server, the script might prematurely end giving an error message, including the web root path. Put many numbers instead of dots in the example below. http://site/bigsam_guestbook.php? displayBegin=9999...9999 If the "safe_mode" option is "ON", a possible error message like the one below may appear approximately in 30 seconds depending on server config. "Fatal error: Maximum execution time of 30 seconds exceeded in home/users/sites/example/bigsam_guestbook.php on line 16" This information may be used to aid in further "intelligent" attacks against the host running the vulnerable Big Sam guestbook. Solution -------- The vendor has verified the existence of the vulnerebility and fixed this issue in version 1.1.09 I suggested following as a workaround: Limit the "$displayBegin" variable, or check if the given post number exists. Credits ------- Discovered on 15, March, 2002 by Ahmet Sabri ALPER salperat_private http://www.olympos.org References ---------- Product Web Page: http://bigsam.gezzed.net/

Next message: Manuel Kiessling: "Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability"
Previous message: Crist J. Clark: "TCP Connections to a Broadcast Address on BSD-Based Systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 20:39:11 PST