Full Disclosure mailing list archives

Cross-Site Scripting vulnerability in Bitrix Site Manager

From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 31 Jan 2017 23:55:21 +0200

Hello list!

There is Cross-Site Scripting vulnerability in Bitrix Site Manager.

-------------------------
Affected products:
-------------------------

Vulnerable was the last version of Bitrix Site Manager at 12.06.2015, when Ifound this vulnerability on web site of Russian terrorists. At that time Iwrote at Facebook about hack by Ukrainian Cyber Forces of that sitehttp://on.fb.me/1H05ccm and published results of our work with it.

You can read about work of Ukrainian Cyber Forces(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2017-January/010833.html).


----------
Details:
----------

Cross-Site Scripting (WASC-08):

This is persistent XSS in field "text" in contact form (captcha protected):

<img src="http://1"; on onerror="$(’p').text(’Hacked’)" />

At 31.12.2016 I disclosed it at my site (http://websecurity.com.ua/7826/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site

http://websecurity.com.ua


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Cross-Site Scripting vulnerability in Bitrix Site Manager MustLive (Feb 01)