lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 12 Sep 2018 16:42:02 +0200
From: Dam Cab <fu@...hack.fr>
To: fulldisclosure@...lists.org
Subject: [FD] Policy bypass on Imperva WAF

Hello everyone,

Can I have your opinion about this bug below please ?

# Exploit Title: Policy Bypass on Imperva SecureSphere Web Application
Firewall
# Date: 08/05/2018
# Author: Damien CabriƩ
# Contact: https://twitter.com/nawhack
# Vendor Homepage: http://www.imperva.com
# Version: Imperva SecureSphere WAF 11.5 in all deployment options
# Tested on: Imperva SecureSphere WAF 11.5.0.95_0 (bridge and reverse proxy
mode)
# Class: Policy Bypass

[VULNERABILITY DETAILS]

The Imperva WAF provides solutions to protect websites against attacks (SQL
injections, cross site scripting, illegal resource access). The protect is
base with policies building from Signatures (network, generic attack, known
web application vulnerabilities), Application profiling and Threatradar
Reputation Service.

There is a bug in the Web Correlation Policy engine which protect against
SQLi and XSS.

The WAF is not able to detect malicious SQLi or XSS content in the body of
POST requests without the "Content-Type" header.

An attacker can easily craft a POST request method without the Content-Type
header to bypass firewall protections.

Applications protected by the WAF could be compromised with this bug.

[REMEDIATION]
If possible, block POST requests without Content-Type header.

[DISCLOSURE TIME-LINE]
    * 08/05/2018 - Initial vendor contact.

    * 27/06/2018 - Imperva confirmed the issue. Fix targeted for Q4 2018.

    * 12/07/2018 - Ticket closed.

    * 18/08/2018 - Public disclosure.

Regards

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ