[VulnWatch] vulnerabilities in fortigate firewall webinterface
From: Maarten Hartsuijker (maartenh_at_phreaker.net)
To: <firstname.lastname@example.org> Date: Wed, 12 Nov 2003 22:46:27 +0100
Several vulnerabilities in web interface of Fortigate firewall of which
the most serious one will under specific circumstances allow a remote
attacker to obtain a username and password of the Fortigate.
pre 2.50 maintenance release 4
Issue 3 - Fortinet OS 2.50 MR4, available from FTP as of 29
Issue 1 and 2 - Fortinet OS 2.50 MR5, available from FTP as of 05 Nov.
VENDOR FIRST NOTIFIED
Advisory posted on issue 3 a month ago.
1. Improper input validation.
2. Username and MD5 hash of password are stored in cookie.
3. Web filter log parses unfiltered session details.
IMPROPER INPUT VALIDATION
The variables from several URL's are parsed in the HTML code of the
resulting web page. However, the variables are not sanitized before they are
used. Therefore, they can be used to inject code into the admin interface.
The examples below show you an simple alert box, but this could just as well
be used to:
- Steel the cookie of the user that is logged in
- Include (for instance) the Cisco homepage into the website that
is displayed after clicking the URL.
Besides, improper input validation is also a very good starting point for
other types of attacks.