Tuesday, July 22, 2008

The Bitrix open redirect vulnerability: a lesson in the absurd

I try to limit my heckling to McYouKnowWho, but I just stumbled across an issue I couldn't leave alone.
If you've been keeping up on recent articles I've published, you know open redirect vulnerabilities really bother me; thus Open redirect vulnerabilities: definition and prevention in (IN)SECURE Issue 17.
Sidebar: I recently spotted a great academic paper on the same issue by Shue, Kalafut, and Gupta at Indian University. Definitive, to say the least.
Back to the issue at hand. It should have occurred to me to check for this earlier; write it off to being busy. Allow me to spell it out simply.

1) On May 2nd, 2008, I published a open redirect vulnerability in Bitrix Site Manager 6.5, specifically CVE-2008-2052.

2) The vulnerability is a simple one to reproduce, easily exploited by phishers and malware propagators. The issue is still unresolved by the vendor, so here's an example, still available, from their site:
http://www.bitrixsoft.com/bitrix/redirect.php?event1=demo_out&event2=
sm_demo&event3=pdemo&goto=http://www.xssed.com/news/29/
The_dangers_of_Redirect_vulnerabilities
/
Obviously, the fact that I can send you to XSSed.com's fine explanation of the issue, in the context of the vendor's site, is a no-no in Web App Sec 101. In May, the vendor responded, saying they'd fix it, but I've not received the promised communication that they have. Their own site certainly hasn't been mitigated, so we'll see.

3) One of the sites I found exhibiting this vulnerability while researching the issue via Googledork is http://en.securitylab.ru.

4) The same day, en.securitylab.ru posts their version of the CVE vulnerability advisory for the Bitrix vulnerability.

5) As a reference, en.securitylab.ru links to my original advisory USING THE EXACT SAME VULNERABLE REDIRECT SCRIPT!
http://en.securitylab.ru/bitrix/redirect.php?event3=352513&
goto=http://holisticinfosec.org/content/view/62/45/


To this day, neither the vendor's site, nor Security Lab's site have been mitigated.
A malicious attacker could send a "security advisory" in a phishing email, supposedly from Security Lab, and redirect the victim to another web site, likely also somewhere in Russia, and laden with malware.
This could be a candidate for Pwnie Award 2009. ;-)

Common, people...fix it!

del.icio.us | digg

1 comment:

Rafal said...

Spot on Russ, as always. Open Redirects are the absolute worst of the worst - but then again... no one's ever claimed the Russians were good at security [ducks to avoid flying objects].

This is shameful for the vendor, and hysterical for the "security" website... ouch