Thales Imperva SecureSphere WAF POST Data Inspection Bypass Vulnerability

A vulnerability in Thales Imperva SecureSphere Web Application Firewall (WAF) version 14.7.0.40 allows remote attackers to bypass WAF rules that inspect POST data. This could enable exploitation of vulnerabilities in protected web applications that would normally be blocked by the WAF. The issue arises from the WAF's handling of Content-Encoding headers, which can be manipulated to evade detection and filtering of malicious POST data.

Impact

Exploitation of this vulnerability could lead to successful bypassing of WAF rules, allowing attackers to exploit vulnerabilities in web applications that are otherwise protected by the WAF.

Reproduction

To reproduce this vulnerability, send a POST request to a PHP page with a command execution webshell, such as one that executes system commands via a POST parameter. The request will be blocked by standard WAF rules. However, by adding two Content-Encoding headers—one with an arbitrary value and another with 'gzip' or 'deflate'—the WAF can be bypassed. If necessary, include a throwaway POST parameter to successfully exploit the command execution vulnerability.

Remediation

Imperva has released an ADC rule update on February 26, 2024, to address this vulnerability. Imperva customers can find more information on the Imperva Support Portal.