|
|
|
|
| |
Credit:
The information has been provided by Scott Miles and Greag Johnson.
The original article can be found at: http://www.clearskies.net/documents/css-advisory-css1001-imperva.php
|
| |
Vulnerable Systems:
* Web Application and Database Firewall versions prior to March 9, 2010
* SecureSphere versions 5.0 through 7.0.
Protection provided by the Imperva device against attacks such as SQL injection and Cross-Site Scripting is negated, allowing unfiltered requests through to protected applications.
An attacker can use this flaw to bypass firewall protections. Anyone with the ability to interact with protected web applications and databases can exploit this vulnerability. Only minimal skill is required and the bypass can be incorporated into existing exploitation frameworks and security testing tools. Exploitation of this issue does not permanently affect the device; each evasion request must contain the bypass payload.
Patch Availability:
The vendor has released patches for affected versions to address this issue. Customers are strongly encouraged to apply the update as soon as possible. Refer to the following Url for upgrade instructions:
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html
CVE Information:
CVE-2010-1329
Disclosure Timeline:
2009-08-31 - Vendor notified.
2010-03-09 - Vendor released patched firmware.
2010-04-05 - Public notification
|
|
|
|
|
