Attack Chain

1. The attacker authenticates to the ImpressCMS application with valid credentials.
2. The attacker crafts a malicious POST request targeting the admin.php endpoint.
3. The POST request includes the bid parameter containing SQL injection payload designed to cause a time delay.
4. The ImpressCMS application processes the POST request without proper sanitization of the bid parameter.
5. The injected SQL code is executed against the underlying database, causing a time-based delay.
6. The attacker monitors the response time to confirm successful injection.
7. The attacker refines the SQL injection payload to extract sensitive information from the database using techniques like SLEEP() and conditional queries.
8. The attacker exfiltrates the sensitive data obtained from the database.

Impact

Successful exploitation of this vulnerability allows an attacker to read sensitive data from the ImpressCMS database. This may include user credentials, configuration details, and other confidential information. While the exploit requires authentication, a successful attack could lead to complete compromise of the application and its data, potentially impacting all users and the integrity of the website. The CVSS v3.1 score of 7.1 reflects the high potential impact of this vulnerability.

Recommendation

• Apply the necessary patches or upgrade to a version of ImpressCMS that addresses CVE-2019-25703 to remediate the SQL injection vulnerability.
• Deploy the provided Sigma rule to detect malicious POST requests containing SQL injection attempts targeting the admin.php endpoint.
• Implement input validation and sanitization on the bid parameter within the ImpressCMS application to prevent SQL injection attacks.
• Monitor web server logs for suspicious POST requests to admin.php with unusual parameters, as this can be an indicator of exploitation attempts.
• Review and restrict access to the admin.php endpoint to only authorized users to minimize the attack surface.