[NEWS] Fortigate Firewall Inadequate Log Filtering

From: SecuriTeam (support_at_securiteam.com)
Date: 10/09/03

  • Next message: SecuriTeam: "[UNIX] EMML and EMGB Include() Security Vulnerability"
    To: list@securiteam.com
    Date: 9 Oct 2003 16:37:14 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Fortigate Firewall Inadequate Log Filtering
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.fortinetfirewall.com/> Fortigate Firewall, has been found to
    contain a cross-site scripting vulnerability due to inadequate filtering
    of the log files that is kept when the web filtering is enabled.

    DETAILS

    Vulnerable systems:
     * Fortigate Firewall pre 2.50 maintenance release 4

    Immune systems:
     * Fortigate Firewall 2.50 maintenance release 4

    After the web filter has been enabled, the administrator has the ability
    to review the web filter logs via the web interface. The web filter logs
    contain the URL that has been denied by the filter. Because of the fact
    that unwanted characters are not stripped from the denied URL, a remote
    attacker is able to gain the credentials of an administrator, as soon as
    the administrator reviews the logs.

    Example:
    Pages with the keyword "mp3-download" are denied by the web filter. The
    page <http://192.168.5.11/maarten.html> contains such a keyword. A remote
    attacker could poison the log files by retrieving ''
    http://192.168.5.11/maarten.html< script>alert(oops)</script>

    When altering the script a bit, the user credentials could easily be
    forwarded to the attacker, who could then use these credentials to alter
    the firewall if the administrator has not properly secured access to
    HTTPS/SSH/TELNET/HTTP.

    Solution:
    1. A basic rule in firewall administration is to only allow connections to
    the firewall-administration-options from specific IP addresses (or
    preferably, specific IP addresses connecting from a management network to
    the management interface of the firewall). When this best practice is
    applied, an attacker that manages to gain administration credentials as
    described above will not be able to abuse them too easily.

    2. Manage your firewall from a dedicated workstation that has no
    connections (directly OR through a proxy) to un-trusted networks in order
    to avoid a credential push as described above.

    3. Upgrade FortiOS 2.50MR4, which (according to fortinet) does not contain
    this problem.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:maartenh@phreaker.net>
    Maarten Hartsuijker.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] EMML and EMGB Include() Security Vulnerability"

    Relevant Pages

    • [NEWS] Fortigate Firewall Web Interface Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... obtain an administrative username and password of the Fortigate firewall. ... remote attacker can trick an administrator into revealing his credentials. ... Web Filter Log Passes Unfiltered Session Details ...
      (Securiteam)
    • [NT] BlackIce Server Protect Unprivileged User Attack
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... BlackICE responds immediately by ... Due to insecure access control restrictions of the firewall initialization ... auto-blocking = enabled, 2000, BIgui ...
      (Securiteam)
    • [REVS] Placing Backdoors Through Firewalls
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This article describes possible back-doors through different firewall ... This is the enhanced version of a packet filter. ... A proxy as a firewall host is simply any server which has no routing ...
      (Securiteam)
    • [NEWS] DLink-614+ Script Injection Through DHCP HOSTNAME Option
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It is possible to inject malicious script through the DHCP HOSTNAME option ... one can inject a script designed to force the administrator ...
      (Securiteam)
    • [NT] Agnitum Outpost Firewall Pro DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Outpost Firewall Pro, you get award-winning ... By flooding Outpost Pro with a sustained rate of packets it is possible to ... Outpost Pro maintains a list of all new incoming packets. ...
      (Securiteam)