Bitrix Site Manager subscr_form.php Path Disclosure

2005-06-15T00:00:00
ID OSVDB:17348
Type osvdb
Reporter D_BuG(d_bug@bk.ru)
Modified 2005-06-15T00:00:00

Description

Vulnerability Description

Bitrix Site Manager contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when errors occur during execution of subscr_form.php due to invalid user input, which will disclose web server path information resulting in a loss of confidentiality.

Solution Description

Upgrade to version 4.09 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Bitrix Site Manager contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when errors occur during execution of subscr_form.php due to invalid user input, which will disclose web server path information resulting in a loss of confidentiality.

References:

Vendor URL: http://www.bitrixsoft.com/sitemanager/ Vendor Specific News/Changelog Entry: http://www.bitrixsoft.com/sitemanager/versions.php?module=main Secunia Advisory ID:15726 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0120.html ISS X-Force ID: 21019 CVE-2005-1995