Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Firewall)  >   Fortinet FortiGate/FortiOS Vendors:   Fortinet
FortiGate Firewall Log Viewer Filtering Flaw Permits Remote Scripting Code Execution When an Administrator Views Certain Logs
SecurityTracker Alert ID:  1007872
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 3 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.50 maintenance release 4
Description:   Several vulnerabilities were reported in the FortiGate firewall. A remote user may be able to obtain an administrator's username and password to gain access the firewall.

It is reported that the web interface contains several flaws, one of which is described in this alert.

One flaw reportedly exists in the viewing of the web filter log files. The software does not filter certain characters from a denied URL. When a target administrator views the log files, HTML code contained in a denied URL will be executed on the target administrator's web browser. The code will run in the security context of the FortiGate web interface. As a result, a remote user can obtain the authentication credentials of the target administrator.

The vendor was reportedly notified on September 14, 2003.

Impact:   A remote user can access the target administrator's cookies (including authentication cookies) associated with the FortiGate firewall, access data recently submitted by the target administrator via web form to the firewall, or take actions on the firewall acting as the target administrator.
Solution:   The vendor has released a fixed version (Fortinet OS 2.50 MR4) that corrects one of the reported flaws. The author of the report indicates that other undisclosed flaws remain uncorrected.
Vendor URL: (Links to External Site)
Cause:   Input validation error

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] exploiting fortigate firewall through webinterface


 Several vulnerabilities in web interface of Fortigate firewall of which the
most serious one will allow a remote attacker to obtain a username and
password of the Fortigate.
 pre 2.50 maintenance release 4
 Fortinet OS 2.50 MR4, available from FTP as of 29 Sept. 2003

During a review of the FortiGate firewall, I noticed several security flaws
in their webapplication. Combining two of the issues could allow a remote
attacker to obtain a username and password of the fortigate. FortiNet has
fixed one of the most serious flaws in the maintenance release 4, that is
available for customers on their FTP as off this week. Since the other
issues have not yet been fixed, I will not disclose these details at this

After the web filter has been enabled, the administrator has the ability to
review the web filter logs via the web interface. The web filter logs
contain the URL that has been denied by the filter. Because of the fact that
unwanted characters are not stripped from the denied URL, a remote attacker
is able to gain the credentials of an administrator, as soon as the
administrator reviews the logs.

Pages with the keyword "mp3-download" are denied by the web filter. The page
<> contains such a keyword. A remote
attacker could poison the log files by retrieving ''<script>alert(oops)</script>

When altering the script a bit, the user credentials could easily be
forwarded to the attacker, who could then use these credentials to alter the
firewall if the administrator has not properly secured access to

1. A basic rule in firewall administration is to only allow connections to
the firewall-administration-options from specific IP addresses (or
preferably, specific IP addresses connecting from a management network to
the management interface of the firewall). When this best practise is
applyed, an attacker that manages to gain administration credentials as
described above, will not be able to abuse them too easily.
2. Manage your firewall from a dedicated workstation that has no connections
(directly OR through a proxy) to untrusted networks in order to avoid a
credential push as described above.
3. Upgrade FortiOS 2.50MR4, which (according to fortinet) does not contain
this problem.

The first two solutions will also prevent abusal by the issues that have not
yet been disclosed.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC