Web Application Firewall bypass in Bitrix CMS



Published: 2020-05-01 | Updated: 2020-05-13
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Bitrix Site Manager
Web applications / CMS

Vendor Bitrix

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated: 13.05.2020

Changed bulletin status to patched.

1) Input validation error

EUVDB-ID: #VU27476

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass web application firewall.

The vulnerability exists due to insufficient validation of user-supplied input when processing NULL byte character within the Proactive Protection module version 19.0.0 and below in Bitrix Site Manager. A remote attacker can pass specially crafted input to the application that contains a NULL byte (%00) and bypass Web Application Firewall rules.

Vulnerable code: 

	
	
	
Not loaded

PoC Request: 

	http://[host]/?test=tetsBYPASS%00")});alert(1);$(document).ready(function (){%2f%2f

Mitigation

Install update from vendor's website.

Update Proactive Protection module to version 20.0.0.

Vulnerable software versions

Bitrix Site Manager: 16.0 - 20.0.950

External links

http://blog.deteact.com/bitrix-waf-bypass/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###