Vulnerability identifier: #VU27476
Vulnerability risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Bitrix Site Manager
Web applications /
CMS
Vendor: Bitrix
Description
The vulnerability allows a remote attacker to bypass web application firewall.
The vulnerability exists due to insufficient validation of user-supplied input when processing NULL byte character within the Proactive Protection module version 19.0.0 and below in Bitrix Site Manager. A remote attacker can pass specially crafted input to the application that contains a NULL byte (%00) and bypass Web Application Firewall rules.
Vulnerable code:
require($_SERVER["DOCUMENT_ROOT"]."/bitrix/header.php"); $s = $_GET["test"]; ?>Not loaded
PoC Request:
http://[host]/?test=tetsBYPASS%00")});alert(1);$(document).ready(function (){%2f%2f
Mitigation
Install update from vendor's website.
Update Proactive Protection module to version 20.0.0.
Vulnerable software versions
Bitrix Site Manager: 16.0 - 20.0.950
External links
http://blog.deteact.com/bitrix-waf-bypass/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.