[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Cross-Site Scripting vulnerability in Bitrix Site Manager

To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Cross-Site Scripting vulnerability in Bitrix Site Manager
From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Date: Tue, 31 Jan 2017 23:55:21 +0200

Hello list!

There is Cross-Site Scripting vulnerability in Bitrix Site Manager.

-------------------------
Affected products:
-------------------------

Vulnerable was the last version of Bitrix Site Manager at 12.06.2015, when Ifound this vulnerability on web site of Russian terrorists. At that time Iwrote at Facebook about hack by Ukrainian Cyber Forces of that sitehttp://on.fb.me/1H05ccm and published results of our work with it.

You can read about work of Ukrainian Cyber Forces(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2017-January/010833.html).


----------
Details:
----------

Cross-Site Scripting (WASC-08):

This is persistent XSS in field "text" in contact form (captcha protected):

<img src="http://1"; on onerror="$(’p').text(’Hacked’)" />

At 31.12.2016 I disclosed it at my site (http://websecurity.com.ua/7826/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site

http://websecurity.com.ua


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] QNAP NVR/NAS Heap / Stack / Heap Feng Shui overflow, and "Heack Combo" to pwn
Next by Date: [FD] secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server
Previous by thread: [FD] QNAP NVR/NAS Heap / Stack / Heap Feng Shui overflow, and "Heack Combo" to pwn
Next by thread: [FD] secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server
Index(es):
- Date
- Thread