High-Tech Bridge Security Research Lab discovered vulnerability in Bitrix Site Manager version 12.5.13, which can be exploited to spoof user's identity and read, modify or delete pre-ordered items in customer's basket.
User Identity Spoofing vulnerability (CWE-345) in Bitrix Site Manager version 12.5.13 exists due to insufficient verification of supplied data authenticity when displaying pre-order items in customer's basket in the e-Store Module of Bitrix Site Manager. A remote unauthenticated user can change "BITRIX_SM_SALE_UID" cookie, view another user's basket and perform certain actions, e.g. add or delete items in the basket. The e-Store Module must be installed on the system and knowledge of a valid "BITRIX_SM_SALE_UID" cookie is required. This value can be easily guessed using simple brute-force techniques, since the application increases its value by 1 with every new customer.
Below are exploitation instructions for this vulnerability. You will need to open two different browsers with plugins that allow cookie management.
- Open your first browser
- Visit the following URL http://[host]/buy/cms.php and add items to the basket.
- You will be redirected to the following URL: http://[host]/personal/cart.php
- Record your "BITRIX_SM_SALE_UID" cookie value.
- Open your second browser and navigate to the following URL: http://[host]/personal/cart.php
- Change the value of your "BITRIX_SM_SALE_UID" cookie to the one you recorded before and delete all other cookies.
- Refresh the page http://[host]/personal/cart.php. You will see pre-ordered items of another user.
Solution: Update "sale" module to version 14.0.1
More Information: www.bitrixsoft.com/products/cms/versions.php?module=sale
No comments:
Post a Comment