Vulnerabilities found in ImpressCMS can allow an unauthorised attacker to circumvent the software’s SQL injection safeguards to execute codes remotely or Remote code execution (RCE), informs a security researcher.
The vulnerabilities, CVE-2021-26599, an SQL injection flaw and an access control bug have been addressed with the latest version of the popular open-source content management system (CMS).
But the same method can be altered to avoid security tools which means that features designed to protect from SQL injection exploits can be used to attack host applications.
Researcher Egidio “EgiX” Romano, said that this vulnerability “should be exploitable only by registered ImpressCMS users”. However, an error in access control verification can allow unauthenticated attackers to avoid (CVE-2021-26598) and exploit the checks.
Romano told The Daily Swig: “To successfully exploit this vulnerability you have to deal with Protector, which is a sort of built-in Web Application Firewall (WAF) in ImpressCMS, and this is where the idea to use this ‘new’ SQL Injection technique came in.
“The interesting part is that this very same technique, which should be 20 years old, could be abused also to bypass Web Application Firewalls nowadays,” said Romano, who claimed that OWASP ModSecurity Core Rule Set and Cloudflare’s WAF are among those at risk.
There are some inhibitions, namely that ImpressCMS must be installed along with the PDO database driver, which enables stacked queries, but “in general, there are only two requirements for this SQL Injection technique to work – the application should be vulnerable to SQL injection, of course, [and] the application should support execution of multiple (stacked) SQL queries”.
The researcher reported the issues to ImpressCMS via HackerOne in January 2021, and both vulnerabilities have been patched.
Romano claims, however, that two main security technologies – OWASP’s ModSecurity Core Rule Set (CRS) and Cloudflare’s WAF – can be circumvented via this method.
Romano told The Daily Swig that when constructed with ‘Paranoia Level 1’ (the default configuration), ModSecurity’s SQL injection detection rules can be bypassed with a “slightly modified version” of the technique that was originally developed against ImpressCMS Protector.
He added: “CRS also relies on libinjection to detect SQL Injection patterns, an open source library in which I discovered a bug that allows to bypass its detection mechanisms.”
“This will bypass libinjection detection rules, but not all of the CRS rules,” he added.
Speaking to The Daily Swig, ModSecurity project co-lead Christian Folini confirmed that the CRS is vulnerable.
He added: “Bypasses of the default installation are not welcome, but they are accepted to a certain extent.
“We advise users with higher security needs, basically everybody doing business on the internet, to raise their paranoia level to 2 or higher where we detect bypasses like the ones in question.”
Tremante commented: “As far as we can tell, the researcher lowered the WAF sensitivity (for example the OWASP paranoia level and threshold) to a point where the payload was no longer detected.
“The likelihood is that they do not have all the WAF rules enabled. However, without additional information, we cannot confirm that a bypass has been found.
“We’d also like to remind researchers that any test activity against our WAF should be performed on Cloudflare’s public facing bug bounty program domain as very often bypasses are due to badly or purposely miss configured WAF settings. Cloudflare’s test domain is correctly configured with good WAF settings.
“If there are additional payloads, we welcome researchers to submit them via Cloudflare’s bug bounty program, as feedback enables us to make our products better.”