CVE-2021-26600

Vulnerability

In ImpressCMS versions prior to 1.4.3, the file plugins/preloads/autologin.php implements automatic login functionality based on cookie values autologin_uname and autologin_pass. The vulnerability lies in lines 62–63, where the password verification uses the loose comparison operator != instead of the strict !==. This allows type juggling, which can lead to authentication bypass [1][4].

Exploitation

An attacker must be able to send HTTP requests with crafted cookie values. The attacker sets the autologin_uname cookie to the username of a target user (e.g., an administrator) and the autologin_pass cookie to a specially crafted value that exploits PHP's type juggling. The vulnerable code compares a computed hash (using md5, ICMS_DB_PASS, ICMS_DB_PREFIX, and a timestamp) with the attacker-supplied value using !=. By choosing a value that, after type juggling, loosely equals the hash (e.g., a boolean true or a numeric string), the comparison can succeed without knowing the actual password [4].

Impact

Successful exploitation allows the attacker to bypass authentication and log in as any existing user, including administrators. This can lead to full compromise of the CMS, including arbitrary data access, content modification, and potential server-side code execution [1][4].

Mitigation

The vulnerability is fixed in ImpressCMS version 1.4.3, released on an unknown date but referenced in the release notes [2][3]. Users should upgrade to 1.4.3 or later immediately. No workaround is available, as the fix requires code change in the core. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.