Features designed to protect against SQL injection could be abused and turned against the host application
Vulnerabilities in ImpressCMS could allow an unauthenticated attacker to bypass the software’s SQL injection protections to achieve remote code execution (RCE), a security researcher has warned.
However, the same technique could be used modified to bypass other well-known security tools – ultimately meaning that features designed to protect against SQL injection exploits can be abused and turned against the host application.
Researcher Egidio “EgiX” Romano, said that this vulnerability “should be exploitable only by registered ImpressCMS users”. However, due to an incorrect access control check, it could be bypassed (CVE-2021-26598) and exploited by unauthenticated attackers, too.
Romano told The Daily Swig: “To successfully exploit this vulnerability you have to deal with Protector, which is a sort of built-in Web Application Firewall (WAF) in ImpressCMS, and this is where the idea to use this ‘new’ SQL Injection technique came in.
“The interesting part is that this very same technique, which should be 20 years old, could be abused also to bypass Web Application Firewalls nowadays,” said Romano, who claimed that OWASP ModSecurity Core Rule Set and Cloudflare’s WAF are among those at risk.
There are some limitations, namely that ImpressCMS must be installed with the PDO database driver, which allows for stacked queries, but “in general, there are only two requirements for this SQL Injection technique to work – the application should be vulnerable to SQL injection, of course, [and] the application should support execution of multiple (stacked) SQL queries”.
The researcher reported the issues to ImpressCMS via HackerOne in January 2021, and both bugs have now been fixed.
Romano claims, however, that two major security technologies – OWASP’s ModSecurity Core Rule Set (CRS) and Cloudflare’s WAF – can be bypassed through this technique.
Romano told The Daily Swig that when configured with ‘Paranoia Level 1’ (the default configuration), ModSecurity’s SQL injection detection rules can be bypassed with a “slightly modified version” of the technique that was originally developed against ImpressCMS Protector.
He added: “CRS also relies on libinjection to detect SQL Injection patterns, an open source library in which I discovered a bug that allows to bypass its detection mechanisms.”
“This will bypass libinjection detection rules, but not all of the CRS rules,” he added.
Speaking to The Daily Swig, ModSecurity project co-lead Christian Folini confirmed that the CRS is vulnerable.
He added: “Bypasses of the default installation are not welcome, but they are accepted to a certain extent.
“We advise users with higher security needs, basically everybody doing business on the internet, to raise their paranoia level to 2 or higher where we detect bypasses like the ones in question.”
Speaking to The Daily Swig, Michael Tremante, product manager at Cloudflare, said that the payload detailed in Romano’s blog is blocked by its WAF.
Tremante commented: “As far as we can tell, the researcher lowered the WAF sensitivity (for example the OWASP paranoia level and threshold) to a point where the payload was no longer detected.
“The likelihood is that they do not have all the WAF rules enabled. However, without additional information, we cannot confirm that a bypass has been found.
“We'd also like to remind researchers that any test activity against our WAF should be performed on Cloudflare’s public facing bug bounty program domain as very often bypasses are due to badly or purposely miss configured WAF settings. Cloudflare’s test domain is correctly configured with good WAF settings.
“If there are additional payloads, we welcome researchers to submit them via Cloudflare’s bug bounty program, as feedback enables us to make our products better.”
Romano’s blog post contains more technical details on the vulnerability.
The researcher said that he has “a good feeling that most IDS/IPS/WAF products out there might be vulnerable to this SQL injection technique”, adding that he doesn’t, however, have the time and resources to test them all.
Users should update to the latest version of ImpressCMS (1.4.4) immediately.
The Daily Swig has contacted ImpressCMS for comment and will update this article as and when we hear back.