id: bitrix-open-redirect info: name: Bitrix Site Management Russia 2.0 - Open Redirect author: pikpikcu,gtrrnr severity: medium description: Bitrix Site Management Russia 2.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. reference: - https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cwe-id: CWE-601 metadata: max-request: 14 shodan-query: "html:\"/bitrix/\"" tags: redirect,bitrix,packetstorm http: - method: GET path: - "{{BaseURL}}{{paths}}" payloads: paths: - '/bitrix/rk.php?goto=https://interact.sh' - '/bitrix/redirect.php?event1=&event2=&event3=&goto=https://interact.sh' - '/bitrix/redirect.php?event3=352513&goto=https://interact.sh' - '/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://interact.sh' - '/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://interact.sh' - '/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://interact.sh' - '/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://interact.sh' - '/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://interact.sh' - '/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://interact.sh' - '/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh' - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh' - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh' - '/bitrix/redirect.php?goto=https://example.com%252F:123@interactsh.com/' - '/bitrix/tools/track_mail_click.php?url=http://site%252F@interactsh.com/' stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' part: header - type: status condition: or status: - 302 - 301 # digest: 4a0a00473045022076898c7e94f9fa54a0043643d8984c844200ec0d3a8a829faa58e30e382dc635022100d0b04f2037e4ef5eb563a23e63788d8c85ca17f7cbe4760666895f1383585f12:922c64590222798bb761d5b6d8e72950