“The security implications of this issue are outside the control of MySQL and MariaDB,” according to GoSecure. This flaw neither affects the data handling of MySQL or MariaDB, “nor did it let you escalate your privileges until we found the WAF bypass”, the researchers at GoSecure explain. Tests by GoSecure showed that these rules might be circumvented by taking advantage of the scientific notation vulnerability in the underlying technology. Confusion bugĪmazon Web Services (AWS) offers a product called CloudFront that can be combined with AWS WAF with predefined rules. After confirming that stricter lockdown settings (specifically the paranoia level 2 workaround in ModSecurity/libinjection) alleviated the problem, GoSecure went public with its findings. ![]() It was only at this time that GoSecure discovered the Libinjection component of ModSecurity was similarly vulnerable. ![]() The Montreal-based firm disclosed this WAF bypass bug to Amazon in August, receiving confirmation that it had been resolved at the start of October. Problems ensued when handling scientific notations, specifically the e notation (exponential), as explained in a detailed technical blog post from GoSecure. The flaw allowed SQL syntax to remain valid even when it should have been deemed invalid, confusing security defenses such as WAFs in the process. The GoSecure team discovered that the aforementioned scientific notation bug, which was cited by Salgado, was far more powerful than first suspected. The issue dates back to a Black Hat presentation from 2013, delivered by security researcher Roberto Salgado, that delved deep into various SQL injection techniques. The same, somewhat obscure flaw also affected customers of ModSecurity, an open-source WAF.Ĭatch up on the latest vulnerability-related news Security researchers have discovered that a historic vulnerability affecting both MySQL and MariaDB databases caused serious flaws for security technologies from AWS.ĪWS Web Application Firewall (WAF) customers were left unprotected against SQL injection attacks that relied on a scientific notation bug first discovered in 2013, research from GoSecure has revealed. AWS WAF and ModSecurity get ‘blinded by science’
0 Comments
Leave a Reply. |