On 15th July 2021, a critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin was reported which might affect millions of websites around the world. The vulnerabilities were detected on the 13th of July and fixed in WooCommerce versions 3.3.6 to 5.5.1 and WooCommerce Blocks versions 2.5.16 to 5.5.1. Though they pushed a forced automatic update to all affected websites, it is recommended to manually check your website and make sure that everything is up to date.

What is the exploit impact? As per the announcement from WooCommerce, this vulnerability allows an unauthenticated attacker to access arbitrary data in an online store’s database. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information

So what is an SQL Injection attack and how to prevent it? SQL injection is a web security vulnerability that allows an attacker to interfere with the SQL queries that an application makes to its database. This type of vulnerability allows a malicious hacker to affect the database in a way that makes it display information or behave differently in ways it’s not supposed to. This is a common attack vector and can be mostly detected using some website auditing tools. The developer of every application must do proper validation of the user input through any form or from the URI and filter them properly.

Can cPGuard protect your website from such vulnerabilities? Yes, the cPGuard WAF is powered by Malware.Expert ModSec rules set can protect your websites from such generic attacks including SQL injection. So cPGuard can already defend against such attacks and protect your websites. It also works along with the IPDB Distributed  Firewall module which can detect and block the repeated attacking IPs on all our customer servers. 

What is cPGuard WAF?

The cPGuard WAF module is an important part of cPGuard security suite to protect your websites from malicious traffic and attacks. It is powered by Malware.Expert commercial ModSec rules and are loaded with a wide variety of protection levels. With cPGuard, you can implement the WAF rules quite easily and flexibly and enforce maximum website protection based on your preference. We have rules to protect major attack like the following which is well explained in the following sections

1. WordPress/Joomla and other CMS brute-force attacks
2. Crawler bots  and exploit/vulnerability scanner prevention
3. Generic attacks like XSS, SQL injection, WP abuses, etc
4. Block malicious files upload via web
5. Zero-day exploits blocking
   etc

What are the important modules of cPGuard WAF?

The cPGuard WAF consists of various types of rules and each can stop different types of attacks. The major advantage in enabling the WAF with cPGuard is, you can select the set of rules that you wish to enable for your websites. So unlike the competing WAF solutions, our rules are quite wisely separated and let the customers to choose the protection level.

• RBL Protection:- This provides the advanced DDoS protection for POST attacks [ brute-force, script exploits ] and blocks common abusive IP addresses collected through our network of servers with cPGuard installed. We recommend turning this ON if you are getting too many POST attacks as it can help to block many attacks before reaching your application and helps to reduce server load.
•  Captcha Protection :-  Recommended This ruleset will enforce all users to verify not as bot before accessing the CMS [ like WordPress, Joomla, etc ] login pages or submitting the login credentials. Once they are identified as a real user, they will be able to login to their website. This can greatly reduce the load due to brute-force attacks. You can also define the set of URIs that you wish to protect using the captcha system, which makes the protection more powerful and flexible.
• WEBSHELL protection:- If you enable this ruleset, your server will be protected from the execution of PHP shells like following
  • Phoenix WebShell
  • FilesMan
  • c99shell
  • b374k
  • WSO
  • Ani-Shell

  Frontpage may open in web shells, but command execution [ like a copy, delete, move, etc ] is blocked. You can enable this rules set if you control all the web apps on your server.

• SCANNER protection:-  Recommended This will help to keep away bad crawlers from your system. This is a major headache for web hosts and causes unnecessary use of system resources. It can block
  • Bad User-Agents
  • Bad search engine crawlers (Cause High loads)

In addition to the above rules set, the WAF consists of rules to stop brute-force attacks and to enable web-based files scanning.

Why cPGuard WAF is better than the competing WAF solutions?

Our WAF is top-notch to block major automated attacks with less server load compared to the competing WAF solutions. In addition, we cause very minimal or zero false positives in most cases with an option to whitelist rules if they find any isolated issues with any rules.

In general, cPGuard WAF outperform all other competing WAF solutions based on the following points

• We have very minimal but generic WAF rules. That helps to offer a wide range of protection with very little server load
• Rules are generic and thus can block the same types of attacks with different vectors
• We carefully watch the latest exploits and release rules to protect them
• We have explicit generic rules to protect common CMS systems
• Our Captcha protection system is one of the best which can stop all brute-force and bot attacks towards your CMSes
• Cloud-based central system to analyze the latest web threats and to block them 
• The WAF module is clubbed with IPDB Firewall in the core which will eventually help to stop attacks in the system firewall even before it reaches the application server

Have more questions?

In case you are misleaded by some marketing emails about our software and WAF module and would like to know more, please feel free to reach us. Our team is always happy to answer your questions and explain about the cPGuard software

About the vulnerability

Contact Form 7 is a famous WordPress plugin that helps users to create different contact forms on the website. The plugin has a very big user base and having almost over 5 million active installations. So, any vulnerability to such a popular plugin will cause serious security issues to a big number of websites.

Recently there was a report related to this plugin where some security researchers were able to exploit its vulnerability which allowed them to files of any type, bypassing all restrictions set to allow the type of upload-able file types on a website. Also, it allows web shell injections which create it more dangerous and threatening to the website security.

How cPGuard handles the problem?

Immediately after the vulnerability is announced, our WAF team has started investigating it and released a WAF update to protect our user’s websites from the vulnerability. So far cPGuard WAF has the following set of protections against the particular vulnerability.

• We have an explicit WAF rule which prevents exploiting the particular vulnerability
• Our existing WAF rules will prevent uploading PHP files
• Our existing WAF rules will prevent accessing PHP files from the target location.
• Our scanner engine can report about the  file uploads/injections 

Do I still need to worry?

Our WAF and scanner engine are powerful enough to block such targeted and generic types of web exploits. Even though cPGuard provides security measures for this problem, we still encourage you to advise your users to upgrade the Contact Form 7 plugin to the latest version, 5.3.2.

If you need any additional details, please  contact our support team.