HoyaHaxa explains what will happen if companies don't update Imperva SecureSphere urgently.
Cybersecurity experts are sounding the alarm — a serious vulnerability has been identified in the popular Imperva SecureSphere Web application firewall (WAF). The issue has been assigned the ID CVE-2023-50969. It has a maximum CVSS risk level of 9.8 out of 10, and allows attackers to bypass security rules designed to prevent web attacks such as SQL injection and cross-site scripting.
Researcher HoyaHaxa revealed the technical details of the problem, demonstrating the potential scenario of its operation.
Attackers can bypass WAF protection by manipulating the "Content-Encoding" headers in HTTP requests. To do this, just send specially encoded POST data — as a result, attackers will gain access to vulnerabilities in the very applications that the firewall is supposed to protect.
Imagine that the protected application contains vulnerable code — such as an insecure PHP web wrapper clam.php, which executes any system commands passed via the cmd POST parameter. Normally, dangerous commands like cat / etc / passwd are blocked by standard WAF rules.
A hacker can bypass the blocking WAF rule by sending an HTTP request with two (or more) specially formed headers. The Content-Encoding header indicates how the HTTP message body is encoded. Acceptable values are br, compress, deflate, and gzip. In this case, it is enough to add one Content-Encoding header with an arbitrary value, and then a second Content-Encoding header: gzip.
You can also break WAF rules by using an additional Content-Encoding header followed by Content-Encoding: deflate.
CVE-2023-50969 affects Imperva SecureSphere WAF version 14.7.0.40 and any other versions without the Application Defense Center (ADC) update released on February 26, 2024. Imperva Cloud WAF clients are not affected by this vulnerability.
Organizations using Imperva SecureSphere are strongly advised to install the February 26 ADC update and conduct a thorough audit of their applications for other known vulnerabilities.
Cybersecurity experts are sounding the alarm — a serious vulnerability has been identified in the popular Imperva SecureSphere Web application firewall (WAF). The issue has been assigned the ID CVE-2023-50969. It has a maximum CVSS risk level of 9.8 out of 10, and allows attackers to bypass security rules designed to prevent web attacks such as SQL injection and cross-site scripting.
Researcher HoyaHaxa revealed the technical details of the problem, demonstrating the potential scenario of its operation.
Attackers can bypass WAF protection by manipulating the "Content-Encoding" headers in HTTP requests. To do this, just send specially encoded POST data — as a result, attackers will gain access to vulnerabilities in the very applications that the firewall is supposed to protect.
Imagine that the protected application contains vulnerable code — such as an insecure PHP web wrapper clam.php, which executes any system commands passed via the cmd POST parameter. Normally, dangerous commands like cat / etc / passwd are blocked by standard WAF rules.
A hacker can bypass the blocking WAF rule by sending an HTTP request with two (or more) specially formed headers. The Content-Encoding header indicates how the HTTP message body is encoded. Acceptable values are br, compress, deflate, and gzip. In this case, it is enough to add one Content-Encoding header with an arbitrary value, and then a second Content-Encoding header: gzip.
You can also break WAF rules by using an additional Content-Encoding header followed by Content-Encoding: deflate.
CVE-2023-50969 affects Imperva SecureSphere WAF version 14.7.0.40 and any other versions without the Application Defense Center (ADC) update released on February 26, 2024. Imperva Cloud WAF clients are not affected by this vulnerability.
Organizations using Imperva SecureSphere are strongly advised to install the February 26 ADC update and conduct a thorough audit of their applications for other known vulnerabilities.
