CVE-2021-26599
📋 TL;DR
CVE-2021-26599 is a SQL injection vulnerability in ImpressCMS's include/findusers.php groups parameter. Attackers can execute arbitrary SQL commands to steal sensitive data, modify database contents, or potentially gain administrative access. All ImpressCMS installations before version 1.4.3 are affected.
💻 Affected Systems
- ImpressCMS
📦 What is this software?
Impresscms by Impresscms
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation to admin, and potential remote code execution via database functions.
Likely Case
Unauthenticated attackers extracting sensitive user data, modifying content, or gaining administrative privileges.
If Mitigated
Limited impact with proper input validation and database permissions, but still significant risk of data exposure.
🎯 Exploit Status
Multiple public proof-of-concept exploits are available, making this easily exploitable by attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.3 and later
Vendor Advisory: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3
Restart Required: No
Instructions:
1. Backup your database and files. 2. Download ImpressCMS 1.4.3 or later from the official repository. 3. Replace the vulnerable include/findusers.php file with the patched version. 4. Verify the fix by checking the version in the admin panel.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the groups parameter before processing
# Edit include/findusers.php and add input validation for the groups parameter
# Example: $groups = filter_var($_GET['groups'], FILTER_SANITIZE_NUMBER_INT);
Access Restriction
allRestrict access to include/findusers.php to authenticated users only
# Add authentication check at the beginning of include/findusers.php
# Example: if (!is_object(icms::$user) || !icms::$user->isAdmin()) { die('Access denied'); }
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with SQL injection rules to block exploitation attempts
- Restrict network access to the ImpressCMS installation to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if include/findusers.php exists and examine the version in system/admin.php or check the ImpressCMS version in the admin panel.Check Version:
Check the ImpressCMS version in the admin panel at /admin.php or examine the version in system/version.phpVerify Fix Applied:
Verify the version is 1.4.3 or later in the admin panel, and check that include/findusers.php has proper input validation for the groups parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts from single IP
- Access to include/findusers.php with suspicious parameters
Network Indicators:
- HTTP requests to include/findusers.php with SQL injection patterns in parameters
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND uri="/include/findusers.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*DELETE*")🔗 References
- http://karmainsecurity.com/KIS-2022-04
- http://packetstormsecurity.com/files/166404/ImpressCMS-1.4.2-SQL-Injection.html
- http://seclists.org/fulldisclosure/2022/Mar/46
- https://hackerone.com/reports/1081145
- http://karmainsecurity.com/KIS-2022-04
- http://packetstormsecurity.com/files/166404/ImpressCMS-1.4.2-SQL-Injection.html
- http://seclists.org/fulldisclosure/2022/Mar/46
- https://hackerone.com/reports/1081145
