[NEWS] Fortigate Firewall Inadequate Log Filtering
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 9 Oct 2003 16:37:14 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Fortigate Firewall Inadequate Log Filtering
<http://www.fortinetfirewall.com/> Fortigate Firewall, has been found to
contain a cross-site scripting vulnerability due to inadequate filtering
of the log files that is kept when the web filtering is enabled.
* Fortigate Firewall pre 2.50 maintenance release 4
* Fortigate Firewall 2.50 maintenance release 4
After the web filter has been enabled, the administrator has the ability
to review the web filter logs via the web interface. The web filter logs
contain the URL that has been denied by the filter. Because of the fact
that unwanted characters are not stripped from the denied URL, a remote
attacker is able to gain the credentials of an administrator, as soon as
the administrator reviews the logs.
Pages with the keyword "mp3-download" are denied by the web filter. The
page <http://192.168.5.11/maarten.html> contains such a keyword. A remote
attacker could poison the log files by retrieving ''
When altering the script a bit, the user credentials could easily be
forwarded to the attacker, who could then use these credentials to alter
the firewall if the administrator has not properly secured access to
1. A basic rule in firewall administration is to only allow connections to
the firewall-administration-options from specific IP addresses (or
preferably, specific IP addresses connecting from a management network to
the management interface of the firewall). When this best practice is
applied, an attacker that manages to gain administration credentials as
described above will not be able to abuse them too easily.
2. Manage your firewall from a dedicated workstation that has no
connections (directly OR through a proxy) to un-trusted networks in order
to avoid a credential push as described above.
3. Upgrade FortiOS 2.50MR4, which (according to fortinet) does not contain
The information has been provided by <mailto:email@example.com>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.