Home 
 Product 
 Editions 
 Security 
 Download 
 Buy 
 Support 
 Training 
 Partners 
 About 
Bitrix Site Manager Home
4500 templates for Bitrix Site Manager
Bitrix Site Manager Home Home / Security

Independent security audit
Web security
Security threats
Web application vulnerabilities
Secured site
Product security
Independent security audit
Certificate
Recommendations
Data encryption
MaxPatrol
"Bitrix Site Manager really turned out to be the solution of our problems. We believe that we are constantly improving our business and relations with our customers and we are doing it with Bitrix Site Manager."
Alexander Lyskovsky,
Alawar Entertainment


Powered by
Bitrix Site Manager:





Remember me on this computer
  Forgot your password?
  Register

Though the Bitrix company places high emphasis on the software security issues and secure web application development, the management has determined to carry out an independent security audit to ensure a higher security level and give their clients more confidence.

Positive Technologies

The Positive Technologies company, a well-recognized Russian company specializing in web security, was involved in the implementation of the information security audit. It is known as a developer of the MaxPatrol software.
Having the original source codes and technical support of the Bitrix company in their disposal, the Positive Technologies company has conducted the full-scale testing of the full version of the Bitrix Site Manager.

Brief report of the Bitrix Site Manager 4.0 security audit

The subject and task of the analysis

Conduct a thorough information security audit of the Bitrix Site Manager 4.0.
Total audit stipulates both a third party analysis of the software distribution package and a detailed analysis of the original source codes. The original source code contains more than 5000 files, written in the PHP programming language, making more than 24 MB in size.

Types of vulnerability

The analysis included the search of all known types of vulnerabilities to which the web applications are liable. The vulnerabilities include the following:

 • Cross Site Scripting
 • SQL-injection
 • PHP-injection
 • HTTP Response Splitting
 • HTML code injection
 • File Inclusion
 • Directory traversal.

It is to emphasize that the total vulnerability of web application also depends on vulnerabilities of the whole program platform on which the application operates: operation system, DBMS, web server, network services etc. The analysis included studying the web application vulnerabilities only. Vulnerabilities of the environment in which it may operate are not its integral feature thus being the factor of variable parameters in respect to a web application.

An approach to vulnerabilities scanning

Considering the significant amount of the application source code, the following three search methods has been elaborated for more effective search of vulnerabilities.

 • While studying the software object model and architecture there was defined a number of modules and files that require a detailed manual analysis to detect vulnerabilities and weak spots. All the detected objects were tested manually.
 • Signatures of potentially weak fragments have been built during studying the peculiarities of the software code. Signatures served the base for the development of the original software for the intelligent search and further analysis of weak spots. The detected objects were tested manually. 
 • Unattended search for vulnerabilities in a running system using the intelligent algorithms for information security audit. Maximum level of heuristics has been applied while testing the web applications.


Both the source code and a test system operating on the software platform were used while searching for the vulnerabilities. Thus, the software was tested both “internally” and “externally”, whereby a thorough and effective analysis was conducted.


The use of the above combination of these methods allowed to accomplish the full analysis of the web applications within four weeks. It is significant that the implementation of such important and scrupulous work would be impossible without the technologies of the intelligent automated analysis implemented in the MaxPatrol security scanner.


MaxPatrol is unique software implementing a number of heuristic algorithms of analysis that simulate the actions of a potential malicious reader in many ways. To a greater extent, the advantages of such approach show up in particular while analyzing web applications containing an arbitrary code unknown to the analyzer. Due to these algorithms and the highest reliability of the diagnostics, MaxPatrol allows to essentially reduce the amount of the experts’ manual work of security audit.


Though the Positive Technologies company doesn’t conduct a methodical continuous search of new vulnerabilities in softwares, it publishes the articles about newly detected vulnerabilities of common web applications. All similar vulnerabilities are automatically detected by MaxPatrol while conducting the network security audit of various networks.

The research structure


While analyzing the software, the code studying was conducted in specific logical fragments where it could be applied. A highest emphasis has been placed on the following logical blocks:

 • main models, classes and the methods;
 • authorization mechanisms, distribution of access permissions;
 • data storing facilities;
 • password store and change facilities;
 • system of updates;
 • site structure control module;
 • information search technology;
 • forum.

The appropriate set of signatures of suspicious areas has been used in each block for the automated search of vulnerabilities.
The sequence of operations in the search of possible vulnerabilities in each code block was evident.


 • Collecting information about all available scripts.
 • Drawing a list of scripts that process any parameters.
 • Checking the responses to various attacks, which includes passing of special data to each of the parameters and further analysis. If an inappropriate or anomalous respond was detected a corresponding analysis was conducted.

Vulnerabity analysis

The final analysis of all the detected vulnerabilities has been done by the specialists manually. Each detected vulnerability had been manually checked for possibility of being applied to a working system; a vulnerable code analyzed; risk level estimated and a way to eliminate the vulnerability suggested.  

The Bitrix Site Manager 4.0 software was supposed to have two types of vulnerabilities of those mentioned above: Cross Site Scripting (XSS) and SQL injection. On the whole, 50 vulnerability suspicions of the first type and 5000 of the second were analyzed.

It is to emphasize that none of the potential vulnerabilities could be actually used to get an unauthorized access to the software internals or confidential information.

Further analysis brought about the following results.

1. The risk of the detected XSS vulnerabilities was below the critical point, as the data the access to which one could have theoretically attempted to obtain, did not contain any information in the open form (e.g. passwords) or other critical information.  
2. The risk of the detected SQL injections can be defined as low. On the one hand, the use of the detected injections in the basic configuration of the software cannot lead to the unauthorized access to the database. On the other hand, if a user wants to create an extension to the software product based on the API exported by it, a number of SQL injections may lead to the creation of the potentially harmful applications if the developer is not qualified enough. The developer was suggested to include the safety checks of internal API functions in the software production cycle.
3. Some suspicious code fragments are recommended to improve to fully filter out the user-supplied data.
4. The Forum module appeared to be completely invulnerable.

The analysis indicated that security of the software is at the highest level, but to ensure maximum security it was necessary to eliminate all the detected defects in the security system for better resistance to external attacks.

The results of audit

The results of the software analysis are summarized in the report containing 390 pages.  The report presented is a detailed instruction of eliminating all the suspicions of vulnerability detected in the system. 

Audit of fixes


All defects in the software code have been fixed by the developer on its own. The Bitrix Site Manager version 4.0.6 containing all the corrections required to be made to the Bitrix Site Manager version 4.0, was finally tested with the use of the developed toolset. The results of the testing confirmed total invulnerability of the system.

Extra tests

Though an exhaustive system analysis includes stress tests, which allows to estimate the system resistance to some types of attacks, they has not been conducted as the developer performs it independently on regular basis.


The “Secure web application” certificate


The security system and the architecture of the Bitrix Site Manager 4.0 software are estimated as of highest quality. They approved the Bitrix company to be in earnest about the issues of information security.
The result of the audit is the following: the Bitrix Site Manager 4.0 software is given a rank of “The Secure Web Application”, and the conformance certificate issued.


Permanent audit of the updates security


The Bitrix and Positive Technologies companies have signed a treaty to constantly monitor the security of updates.
The scrupulous security monitoring of updates (issued using the SiteUpdate technology) is conducted by the specialists of the Positive Technologies company. This ensures the independent expert supervision and keeps the software security at the constantly high level.
Search
0 Your shopping cart is empty
0 Personal section

Bitrix Site Manager V6.5: Web 2.0

Secure Web Application


© 2001-2008 Bitrix, Inc. Bitrix® is a registered trademark of Bitrix, Inc.
Powered by Bitrix Site Manager - Content Management & Portal Solutions
 Contacts   Privacy Policy   Search   Site Map