[ARL02-A11] Big Sam (Built-In Guestbook Stand-Alone Module) Multiple Vulnerabilities

[Ahmet Sabri ALPER <s_alper () hotmail com>]

+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A11    ----/----------/+
+/-----------\----- salper () olympos org  ---/-----------/+


Advisory Information
--------------------
Name               : Big Sam (Built-In Guestbook Stand-
Alone Module) Multiple Vulnerabilities
Software Package   : Big Sam (Built-In Guestbook 
Stand-Alone Module) 
Vendor Homepage    : http://bigsam.gezzed.net/
Vulnerable Versions: v1.1.08 and previous versions
Platforms          : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 17/03/2002
Prior Problems     : N/A
Current Version    : v1.1.09 (immune)


Summary
-------
Big Sam (Built-In Guestbook Stand-Alone Module) is 
a PHP3/4 script guestbook which does not use 
databases. 
It is very simple to set up, very simple to administer, 
and very accurate.

A vulnerability exists in Big Sam, which may cause 
extreme usage of system resources and may cause 
web root path disclosure.


Details
-------
The "bigsam_guestbook.php" where all the 
guestbook viewing operations take place, there's an 
option to view entries according to their number in 
different pages.
This is accomplished by using "$displayBegin" 
variable 
supplied with integers.

When a user requests a maliciously crafted URL, the 
script will run as usual but if the given number is a 
really huge one, the system may run out of resources 
in time, or if the "safe_mode" option is "ON" in PHP 
config of server, the script might prematurely end 
giving an error message, including the web root path.

Put many numbers instead of dots in the example 
below.
http://site/bigsam_guestbook.php?
displayBegin=9999...9999

If the "safe_mode" option is "ON", a possible error 
message like the one below may appear 
approximately in 30 seconds depending on server 
config.

"Fatal error: Maximum execution time of 30 seconds 
exceeded in 
home/users/sites/example/bigsam_guestbook.php 
on line 16"

This information may be used to aid in 
further "intelligent" attacks against the host running 
the vulnerable Big Sam guestbook.


Solution
--------
The vendor has verified the existence of the 
vulnerebility and fixed this issue in version 1.1.09 

I suggested following as a workaround:
Limit the "$displayBegin" variable, or check if the 
given post number exists.


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper () olympos org
http://www.olympos.org


References
----------
Product Web Page: http://bigsam.gezzed.net/