Web Application Firewall bypass in Bitrix CMS



Published: 2020-05-01 | Updated: 2020-05-13
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE ID N/A
CWE ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
Bitrix Site Manager
Web applications / CMS

Vendor Bitrix

Security Advisory

Updated: 13.05.2020

Changed bulletin status to patched.

1) Input validation error

Risk: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to bypass web application firewall.

The vulnerability exists due to insufficient validation of user-supplied input when processing NULL byte character within the Proactive Protection module version 19.0.0 and below in Bitrix Site Manager. A remote attacker can pass specially crafted input to the application that contains a NULL byte (%00) and bypass Web Application Firewall rules.

Vulnerable code:

	
	
	
Not loaded

PoC Request:

	http://[host]/?test=tetsBYPASS%00")});alert(1);$(document).ready(function (){%2f%2f

Mitigation

Install update from vendor's website.

Update Proactive Protection module to version 20.0.0.

Vulnerable software versions

Bitrix Site Manager: 16.0, 16.5, 17.0, 18.0, 19.0, 20.0, 20.0.950

CPE External links

https://blog.deteact.com/bitrix-waf-bypass/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



ImmuniWeb® AI Platform for Application Security Testing