all things security

Bitrix Site Manager 12.5.13 Insufficient Verification

Bitrix Site Manager 12.5.13 Insufficient Verification
Posted Dec 16, 2013
Authored by High-Tech Bridge SA | Site htbridge.com

High-Tech Bridge Security Research Lab discovered a vulnerability in Bitrix Site Manager version 12.5.13 that can be exploited to spoof a user's identity and read, modify or delete pre-ordered items in customer's basket.

tags | exploit, spoof
advisories | CVE-2013-6788
MD5 | 43c772095d42d39f44e47a499dab24ab

Bitrix Site Manager 12.5.13 Insufficient Verification

Change Mirror Download
Advisory ID: HTB23183
Product: Bitrix Site Manager
Vendor: Bitrix, Inc
Vulnerable Version(s): 12.5.13 and probably prior
Tested Version: 12.5.13
Advisory Publication: November 6, 2013 [without technical details]
Vendor Notification: November 6, 2013
Vendor Patch: November 12, 2013
Public Disclosure: December 11, 2013
Vulnerability Type: Insufficient Verification of Data Authenticity [CWE-345]
CVE Reference: CVE-2013-6788
Risk Level: Medium
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Bitrix Site Manager, which can be exploited to spoof user's identity and read, modify or delete pre-ordered items in customer's basket.


1) User Identity Spoofing in Bitrix Site Manager: CVE-2013-6788

The vulnerability exists due to insufficient verification of supplied data authenticity when displaying pre-order items in customer's basket in the e-Store Module of Bitrix Site Manager. A remote unauthenticated user can change "BITRIX_SM_SALE_UID" cookie, view another user's basket and perform certain actions, e.g. add or delete items in the basket. The e-Store Module must be installed on the system and knowledge of a valid "BITRIX_SM_SALE_UID" cookie is required. This value can be easily guessed using simple brute-force techniques, since the application increases its value by 1 with every new customer.

Below are exploitation instructions for this vulnerability. You will need to open two different browsers with plugins that allow cookie management.

1. Open your first browser
2. Visit the following URL http://[host]/buy/cms.php and add items to the basket.
3. You will be redirected to the following URL: http://[host]/personal/cart.php
4. Record your "BITRIX_SM_SALE_UID" cookie value.
5. Open your second browser and navigate to the following URL: http://[host]/personal/cart.php
6. Change the value of your "BITRIX_SM_SALE_UID" cookie to the one you recorded before and delete all other cookies.
7. Refresh the page http://[host]/personal/cart.php. You will see pre-ordered items of another user.

-----------------------------------------------------------------------------------------------

Solution:

Update "sale" module to version 14.0.1

More Information:
http://www.bitrixsoft.com/products/cms/versions.php?module=sale

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23183 - User Identity Spoofing in Bitrix Site Manager
[2] Bitrix Site Manager - http://www.bitrixsoft.com/products/cms/index.php - With over 60,000 installations and #3 rating in the list of the most popular commercial CMS worldwide, the software is an ultimate choice for corporate portals, online stores, community sites and news services.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    22 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close