High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.xscan Bitrix module, intended to discover and neutralize malware on the website. The vulnerability can be exploited to change extension of arbitrary PHP files on the target system and gain access to potentially sensitive information, such as database credentials, or even make the whole website inaccessible.
The vulnerability exists due to absence of filtration of directory traversal characters (e.g. “…/”) passed via “file” HTTP GET parameter to “/bitrix/admin/bitrix.xscan_worker.php” script. A remote authenticated attacker can upload a file with malicious contents, pass this file to vulnerable script along with name of the file to rename. As a result, the vulnerable script will change extension of the given file from “.php” to ".ph_”. These actions will make the web server treat this file as a text file and display its contents instead of executing it.
To demonstrate the vulnerability follow the steps below:
file=/upload/main/77f/image.jpg…/…/…/…/…/bitrix/.settings.php
<img src=“http://[host]/admin/bitrix.xscan_worker.php?action=prison&file=/upload/ main/77f/image.jpg…/…/…/…/…/bitrix/.settings.php”>
As a result, the vulnerable script will rename “/bitrix/.settings.php” into “/bitrix/.settings.ph_”, which makes it readable by anonymous users:
http://[host]/bitrix/.settings.ph_
Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. Steps 1-4 do not require administrative or special privileges and can be performed by any user, who can register at the website or upload an image.