A security researcher discovered numerous vulnerabilities in the open-source platform ImpressCMS that could allow RCE attacks. Since the vendors have released the patches, users must update their websites with the latest CMS version.
As elaborated in a blog post, the security researcher and penetration tester Egidio Romano discovered multiple SQL injection vulnerabilities affecting ImpressCMS that could trigger remote code execution attacks.
ImpressCMS is an open-source website building and maintenance platform. This PHP-based tool works using a MySQL database. With exciting and user-friendly features, the CMS attracts business and individual users alike.
Explaining his findings, the researcher mentioned two different vulnerabilities that could trigger RCE attacks by exploiting ImpressCMS. These include a bypass access control (CVE-2021-26598) and a SQL injection vulnerability (CVE-2021-26599) in the /include/findusers.php script.
As a standard, the vulnerable script lets authenticated users search for other users. However, the vulnerabilities exposed this script to unauthenticated users too. Thus, an adversary could manipulate the executed SQL queries to read or access stored data.
Although, the platform prevents this issue via the Protector module that detects suspicious strings. However, the researcher noticed that an adversary could bypass this security check via hex-encoded suspicious strings. As stated,
Since stacked queries are allowed, an attacker might be able to bypass the Protector module by assigning to a variable the hex representation of the query they want to execute (by using SET), and then use the PREPARE and EXECUTE MySQL statements to ultimately execute the query.
Exploiting the bug in this manner could let an adversary log in as the admin and execute arbitrary PHP codes.
Moreover, the researcher demonstrated that an attacker could bypass WAFs to target the protected sites. Detailed PoC and technical information are available in Romano’s post.
Upon discovering the vulnerabilities, the researcher reported them to ImpressCMS developers. Initially, the vendors patched the bugs with the release of ImpressCMS version 1.4.3. However, the researcher noticed that this release only fixed CVE-2021-26598 and remained vulnerable to CVE-2021-26599.
Eventually, the vendors fixed the other flaw with ImpressCMS version 1.4.4. Hence, all users should update their websites to the latest ImpressCMS version to remain safe from potential exploits.