How to Protect Agains Sql Injection

Features designed to protect against SQL injection could exist abused and turned against the host application

Vulnerabilities in ImpressCMS could allow an unauthenticated aggressor to bypass the software'southward SQL injection protections to achieve remote code execution (RCE), a security researcher has warned.

The vulnerabilities, an SQL injection flaw (CVE-2021-26599) and an access control bug, have now been patched in the latest version of the pop open up source content management system (CMS).

However, the same technique could exist used modified to featherbed other well-known security tools – ultimately meaning that features designed to protect against SQL injection exploits can exist driveling and turned confronting the host application.

Unauthenticated attacks

Researcher Egidio "EgiX" Romano, said that this vulnerability "should be exploitable only by registered ImpressCMS users". Still, due to an incorrect access control check, it could exist bypassed (CVE-2021-26598) and exploited by unauthenticated attackers, too.

Romano told The Daily Swig: "To successfully exploit this vulnerability you have to bargain with Protector, which is a sort of born Spider web Application Firewall (WAF) in ImpressCMS, and this is where the idea to apply this 'new' SQL Injection technique came in.

"The interesting role is that this very same technique, which should be twenty years old, could be driveling also to bypass Web Application Firewalls present," said Romano, who claimed that OWASP ModSecurity Core Dominion Set up and Cloudflare'due south WAF are among those at adventure.

Read more of the latest news about security vulnerabilities

In a blog post, Romano explained that a successful exploitation of these vulnerabilities could pb to RCE.

At that place are some limitations, namely that ImpressCMS must exist installed with the PDO database driver, which allows for stacked queries, but "in full general, at that place are simply two requirements for this SQL Injection technique to work – the awarding should be vulnerable to SQL injection, of course, [and] the application should support execution of multiple (stacked) SQL queries".

Knock-on impact

The researcher reported the issues to ImpressCMS via HackerOne in Jan 2021, and both bugs take now been fixed.

Romano claims, even so, that two major security technologies – OWASP'southward ModSecurity Core Dominion Fix (CRS) and Cloudflare's WAF – tin can be bypassed through this technique.

Romano told The Daily Swig that when configured with 'Paranoia Level 1' (the default configuration), ModSecurity'southward SQL injection detection rules can be bypassed with a "slightly modified version" of the technique that was originally adult against ImpressCMS Protector.

He added: "CRS likewise relies on libinjection to detect SQL Injection patterns, an open source library in which I discovered a issues that allows to featherbed its detection mechanisms."

YOU MAY Likewise LIKE Lessons learned: How a severe vulnerability in the OWASP ModSecurity Core Rule Set sparked much-needed modify

"This will bypass libinjection detection rules, but not all of the CRS rules," he added.

Speaking to The Daily Swig, ModSecurity projection co-lead Christian Folini confirmed that the CRS is vulnerable.

He added: "Bypasses of the default installation are not welcome, simply they are accepted to a certain extent.

"Nosotros suggest users with higher security needs, basically everybody doing business organisation on the internet, to raise their paranoia level to 2 or higher where we detect bypasses like the ones in question."

Payload blocked

Speaking to The Daily Swig, Michael Tremante, product manager at Cloudflare, said that the payload detailed in Romano'south blog is blocked past its WAF.

Tremante commented: "As far equally we can tell, the researcher lowered the WAF sensitivity (for example the OWASP paranoia level and threshold) to a signal where the payload was no longer detected.

"The likelihood is that they do not take all the WAF rules enabled. Notwithstanding, without additional information, we cannot ostend that a bypass has been found.

"We'd as well like to remind researchers that any test activeness against our WAF should be performed on Cloudflare's public facing bug bounty program domain every bit very oftentimes bypasses are due to badly or purposely miss configured WAF settings. Cloudflare's test domain is correctly configured with good WAF settings.

"If there are additional payloads, we welcome researchers to submit them via Cloudflare's problems bounty programme, as feedback enables us to make our products amend."

Further risks

Romano's blog post contains more technical details on the vulnerability.

The researcher said that he has "a good feeling that most IDS/IPS/WAF products out there might be vulnerable to this SQL injection technique", calculation that he doesn't, notwithstanding, take the time and resource to test them all.

Users should update to the latest version of ImpressCMS (one.4.4) immediately.

The Daily Swig has contacted ImpressCMS for comment and will update this article as and when nosotros hear back.

DON'T MISS HTML parser bug triggers Chromium XSS security flaw

faulkhimakinecity.blogspot.com

Source: https://portswigger.net/daily-swig/sql-injection-protections-in-impresscms-could-be-bypassed-to-achieve-rce