Imperva SecureSphere WAF, a security tool for on-premise web applications, has a vulnerability in some versions that allows attackers to bypass filters when inspecting POST data. 

By sneaking malicious content past the WAF, attackers could potentially exploit security flaws in the protected web applications that the WAF would normally block, which compromises the security of the web applications shielded by the WAF. 

A critical vulnerability (CVE-2023-50969) exists in Imperva SecureSphere WAF versions that lack the update referenced in the  “Fixed Version(s)” section, allowing attackers to bypass WAF rules designed to inspect POST data, potentially enabling the exploitation of vulnerabilities in protected applications that the WAF would normally block. 

The attacker doesn’t need to authenticate and can exploit the vulnerability remotely, while it is rated critical due to the high severity of bypassing security controls. 

Technical Details Of The Vulnerability:

The code snippet demonstrates a PHP webshell vulnerability named clam.php, which creates a form that allows users to submit arbitrary commands through a text input field. 

When the form is submitted, the `system` function is used to execute the submitted command on the server, posing a security risk because it allows attackers to remotely execute arbitrary code on the server, potentially compromising the system.

The lack of proper input validation and sanitization in the code allows for the injection of malicious code through user input, which an attacker could use to upload malicious files, steal sensitive data, or deface the website.

A security vulnerability exists where a system command can be executed through a POST request with a specific parameter, where standard WAF rules typically block such attempts (e.g., reading password files). 

By manipulating the Content-Encoding header, one can get around the rules by tricking the WAF into misinterpreting the data and allowing the malicious command to run. 

A specific WAF rule vulnerability allows attackers to bypass security by sending a malformed HTTP request with a double Content-Encoding header (“No Kill No Beep Beep” and “deflate”) followed by a throwaway parameter before the actual malicious data. 

According to the Hoya Haxa, a vulnerability was reported to Imperva on November 10th, 2023, and an update to address this vulnerability was released through Imperva’s ADC rules on February 26th, 2024, whereas  details regarding the vulnerability and the remediation process were publicly disclosed in a blog post on March 27th, 2024.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.