CVE-2021-26601
📋 TL;DR
CVE-2021-26601 is a path traversal vulnerability in ImpressCMS that allows attackers to read arbitrary files on the server by manipulating the image_temp parameter in libraries/image-editor/image-edit.php. This affects all ImpressCMS installations before version 1.4.3 that have the image editor functionality enabled.
💻 Affected Systems
- ImpressCMS
📦 What is this software?
Impresscms by Impresscms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files like configuration files, database credentials, or system files, potentially leading to full system compromise if credentials are exposed.
Likely Case
Unauthenticated attackers reading web application configuration files, source code, or other sensitive data stored in accessible directories.
If Mitigated
Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. No authentication required to access the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.3
Vendor Advisory: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3
Restart Required: No
Instructions:
1. Backup your ImpressCMS installation and database. 2. Download ImpressCMS 1.4.3 or later from the official repository. 3. Replace the vulnerable file libraries/image-editor/image-edit.php with the patched version. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable Image Editor
linuxRemove or restrict access to the vulnerable image-edit.php file
mv libraries/image-editor/image-edit.php libraries/image-editor/image-edit.php.disabled
chmod 000 libraries/image-editor/image-edit.php.disabled
Web Server Access Restriction
allConfigure web server to block access to the vulnerable endpoint
# Apache: Add to .htaccess
<Files "image-edit.php">
Order allow,deny
Deny from all
</Files>
# Nginx: Add to server block
location ~* /libraries/image-editor/image-edit\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict file permission controls on sensitive directories and configuration files
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Attempt to access /libraries/image-editor/image-edit.php?image_temp=../../../etc/passwd (or similar traversal) and check if server returns sensitive file contents.Check Version:
Check ImpressCMS version in admin panel or examine includes/version.php fileVerify Fix Applied:
After patching, attempt the same traversal attack and verify it returns an error or empty response instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /libraries/image-editor/image-edit.php with ../ sequences in parameters
- Unusual file access patterns from web server process
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\) to the vulnerable endpoint
SIEM Query:
web.url:*image-edit.php* AND (web.query:*../* OR web.query:*..\*)🔗 References
- http://karmainsecurity.com/KIS-2022-02
- http://packetstormsecurity.com/files/166402/ImpressCMS-1.4.2-Path-Traversal.html
- http://seclists.org/fulldisclosure/2022/Mar/44
- https://hackerone.com/reports/1081878
- http://karmainsecurity.com/KIS-2022-02
- http://packetstormsecurity.com/files/166402/ImpressCMS-1.4.2-Path-Traversal.html
- http://seclists.org/fulldisclosure/2022/Mar/44
- https://hackerone.com/reports/1081878
