Design/Logic Flaw

The Update functionality in Bitrix Site Manager 4.1.x does not verify the authenticity of downloaded updates, which allows remote attackers to obtain sensitive information and ultimately execute arbitrary PHP code via DNS cache poisoning that redirects the user to a malicious site...

Improper access control

Bitrix Site Manager 4.1.x stores updater.log under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information...

Cross site scripting

Bitrix Site Manager 4.1.x allows remote attackers to redirect users to other websites via a modified backurl during a HTTP POST request. NOTE: this issue has been referred to as "cross-site scripting," but that is inconsistent with the common use of the term...

CVE-2006-2477

Cross-site scripting XSS vulnerability in the administrative interface Bitrix Site Manager 4.1.x allows remote attackers to inject arbitrary web script or HTML via unspecified inputs...

CVE-2006-2479

The Update functionality in Bitrix Site Manager 4.1.x does not verify the authenticity of downloaded updates, which allows remote attackers to obtain sensitive information and ultimately execute arbitrary PHP code via DNS cache poisoning that redirects the user to a malicious site...

CVE-2006-2477

Cross-site scripting XSS vulnerability in the administrative interface Bitrix Site Manager 4.1.x allows remote attackers to inject arbitrary web script or HTML via unspecified inputs...

CVE-2006-2478

Bitrix Site Manager 4.1.x allows remote attackers to redirect users to other websites via a modified backurl during a HTTP POST request. NOTE: this issue has been referred to as "cross-site scripting," but that is inconsistent with the common use of the term...

CVE-2006-2477

CVE-2006-2477 is an XSS vulnerability affecting the administrative interface of Bitrix Site Manager 4.1.x. It allows remote attackers to inject arbitrary web script or HTML via unspecified inputs. The CVSS v2 base score is 4.9 (Medium) with network attack vector, requiring authentication (single)...

CVE-2006-2476

Bitrix Site Manager 4.1.x stores updater.log under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information...

CVE-2006-2479

Technical details about CVE-2006-2479 are not publicly provided in the supplied documents. Monitor for updates; current records summarize the issue at a high level without specifics on affected versions, vectors, or mitigations.

CVE-2006-2478

Bitrix Site Manager 4.1.x is affected by CVE-2006-2478: remote attackers can redirect users to other websites by supplying a modified back_url in a HTTP POST request. The root cause and impact are limited to redirects as described; exploitation details or in‑the‑wild status are not provided in th...

CVE-2006-2476

CVE-2006-2476 affects Bitrix Site Manager 4.1.x where updater.log is stored in the web document root with insufficient access control, enabling remote attackers to obtain sensitive information. Root cause: improper access restrictions on updater.log. Impact is information disclosure of potentiall...

[Full-disclosure] Multiple Vulns in Bitrix CMS

Multiple Vulns in Bitrix CMS Vendor bitrix.com Version The latest one 4.1.x Severity Medium Patched: No Multiple vulnerabilities discovered in Bitrix CMS. A remote attacker can conduct XSS attacks and compromise vulnerable system. 1. A remote attacker can get information about version history and...

bitrix40xInclusion.txt

Vendor: Bitrix Product: Bitrix Site Manager 4.0.x Vulnerability: php including. Consequence: custom php code execution on server Risk: Critical Description: Due to unfiltered SERVERDOCUMENTROOT variable in file “\bitrix\modules\main\start.php”, hacker can upload php script from other server and...

CVE-2005-1995

Bitrix Site Manager 4.0.x is affected by an information disclosure vulnerability. The issue occurs when remote attackers request one of two PHP scripts (subscr_form.php or dbquery_error.php) and trigger an error message that reveals the installation path, exposing sensitive information. The vulne...

CVE-2005-1996

PHP remote file inclusion vulnerability in start.php in Bitrix Site Manager 4.0.x allows remote attackers to execute arbitrary PHP code via the SERVERDOCUMENTROOT parameter...

CVE-2005-1995

Bitrix Site Manager 4.0.x allows remote attackers to obtain sensitive information via direct request to 1 subscrform.php or 2 dbqueryerror.php, which reveals the path in an error message...

CVE-2005-1996

The CVE-2005-1996 entry describes a PHP remote file inclusion vulnerability in Bitrix Site Manager 4.0.x, specifically in start.php, allowing remote code execution via the _SERVER[DOCUMENT_ROOT] parameter. The vulnerability targets the start.php component and is triggered by manipulating the DOCU...

Vulnerability: Bitrix Web Server Paths

Vendor: Bitrix Product:Bitrix Site Manager 4.0.x Consequences: Web server paths Risk: Minimal Description: during executions of http://host/bitrix/templates/.default/subscribe/subscrform.php http://host /bitrix/phpinterface/dbqueryerror.php there got an erros which is causing web server internal...

Vulnerability: Bitrix Php inclusion

Vendor: Bitrix Product: Bitrix Site Manager 4.0.x Vulnerability: php including. Consequence: custom php code execution on server Risk: Critical Description: Due to unfiltered SERVERDOCUMENTROOT variable in file “bitrixmodulesmainstart.php”, hacker can upload php script from other server and execu...