PT-2014-10: Proactive Filter Bypassing in Bitrix CMS Vulnerable softwareBitrix CMS Version: 14.5.0 and earlierLink: http://www.1c-bitrix.ru/products/cms/Severity levelSeverity level: Medium Impact: Proactive Filter Bypassing Access Vector: Remote CVSS v2: Base Score: 5.8 Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)CVE: not assignedSoftware descriptionBitrix CMS is a professional web content management system.Vulnerability descriptionThe specialists of the Positive Research center have detected a Proactive Filter Bypassing vulnerability in Bitrix CMS.Bitrix Proactive Filter, which provides traffic filtering and protection from attacks on web application, ignores the entire functionality of MySQL queries syntax due to improper implementation. This vulnerability allows an attacker to bypass security restrictions and perform SQL Injection attacks using ODBC escape syntax.How to fix Update your software up to the latest version.Advisory status 14.07.2014 - Vendor gets vulnerability details 16.07.2014 - Vendor releases fixed version and details 26.12.2014 - Public disclosureCreditsThe vulnerability was detected by Sergey Bobrov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2014-10 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/