Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | N/A |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Bitrix Site Manager Web applications / CMS |
Vendor | Bitrix |
Security Bulletin
This security bulletin contains information about 1 vulnerabilities.
Updated: 13.05.2020
Changed bulletin status to patched.
EUVDB-ID: #VU27476
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass web application firewall.
The vulnerability exists due to insufficient validation of user-supplied input when processing NULL byte character within the Proactive Protection module version 19.0.0 and below in Bitrix Site Manager. A remote attacker can pass specially crafted input to the application that contains a NULL byte (%00) and bypass Web Application Firewall rules.
Vulnerable code:
require($_SERVER["DOCUMENT_ROOT"]."/bitrix/header.php"); $s = $_GET["test"]; ?>Not loaded
PoC Request:
http://[host]/?test=tetsBYPASS%00")});alert(1);$(document).ready(function (){%2f%2fMitigation
Install update from vendor's website.
Update Proactive Protection module to version 20.0.0.
Vulnerable software versionsBitrix Site Manager: 16.0 - 20.0.950
CPE2.3http://blog.deteact.com/bitrix-waf-bypass/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.