Bitrix Site Manager redirect.php security bypass
| bitrix-redirect-security-bypass (42157) |  Medium Risk |
Description:
Bitrix Site Manager could allow a remote attacker to bypass security restrictions, caused by an error in the redirect.php script. By persuading a victim to visit a specially-crafted Web site and open a malicious link using the goto parameter, a remote attacker could bypass cross-domain security restrictions and redirect the victim to a malicious site and possibly conduct phishing attacks on the system.
Platforms Affected:
- Bitrix, Bitrix Site Manager 6.5
Remedy:
No remedy available as of June 27, 2009.
Consequences:
Bypass Security
References:
- Bitrix Web site, Web Content Management and Portal Solutions - Bitrix Site Manager at http://www.bitrixsoft.com/.
- HolisticInfoSec Advisory HIO-2008-0427, Bitrix Site Manager XSR at http://holisticinfosec.org/content/view/62/45/.
- CVE-2008-2052: Open redirect vulnerability in redirect.php in Bitrix Site Manager 6.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the goto parameter.
Reported:
May 02, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net