lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1FgafK-0003Qy-00.gogi__-mail-ru@f41.mail.ru>
Date: Thu, 18 May 2006 09:03:14 +0400
From: Gogi The Georgian <gogi__@...l.ru>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Multiple Vulns in Bitrix CMS


Multiple Vulns in Bitrix CMS
Vendor bitrix.com
Version The latest one (4.1.x)
Severity Medium
Patched: No

Multiple vulnerabilities discovered in Bitrix CMS. A remote attacker can conduct XSS attacks and compromise vulnerable system. 
1.	A remote attacker can get information about version history and latest installed version of Bitrix CMS by viewing the /bitrix/updates/updater.log file.
Ex: http://www.bitrix.ru/bitrix/updates/updater.log
2.	XSS vulnerability exists in handling of redirects in the auth form (and possibly other forms) during HTTP POST request. Remote user can set the back_url hidden field to remote site and redirect victim to a malicious Web page. 
3.	Script injection vulnerability exists in administrative interface in handling of HTML strings.
Ex: &quot;&gt;&lt;script&gt;alert('XSS')&lt;/script&gt; will be interpreted as "><script>alert('XSS') </script> and executed. (tested with mozilla firefox)
4.	Vulnerability exists in the Update functionality of Bitrix CMS. Remote attacker can poison DNS cache of victims system and force it to connect to a malicious Web server. Bitrix update client does not even try to validate the server it connects to. A remote attacker can get md5 hash of the Key product, detailed information about the system and install and later execute malicious PHP scripts. 

Gogi The Georgian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ