Bitrix Site Manager Cross Site Scripting

2017-02-02T00:00:00
ID PACKETSTORM:140882
Type packetstorm
Reporter MustLive
Modified 2017-02-02T00:00:00

Description

                                        
                                            `Hello list!  
  
There is Cross-Site Scripting vulnerability in Bitrix Site Manager.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable was the last version of Bitrix Site Manager at 12.06.2015, when I   
found this vulnerability on web site of Russian terrorists. At that time I   
wrote at Facebook about hack by Ukrainian Cyber Forces of that site   
http://on.fb.me/1H05ccm and published results of our work with it.  
  
You can read about work of Ukrainian Cyber Forces   
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2017-January/010833.html).  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
This is persistent XSS in field "text" in contact form (captcha protected):  
  
<img src="http://1" on onerror="$(p').text(Hacked)" />  
  
At 31.12.2016 I disclosed it at my site (http://websecurity.com.ua/7826/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
`