ID FORTIWEB_FG-IR-14-002.NASL Type nessus Reporter Tenable Modified 2015-04-23T00:00:00
Description
The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(73530);
script_version("$Revision: 1.4 $");
script_cvs_date("$Date: 2015/04/23 20:09:18 $");
script_cve_id("CVE-2013-7181");
script_bugtraq_id(65303);
script_osvdb_id(102820);
script_xref(name:"CERT", value:"593118");
script_name(english:"Fortinet FortiWeb 5.x < 5.1.0 XSS");
script_summary(english:"Checks the version of FortiWeb.");
script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,
therefore, affected by a cross-site scripting vulnerability in the web
UI due to a failure to sanitize user-supplied input to the 'filter'
parameter in the '/user/ldap_user/add' script. An attacker could
potentially exploit this vulnerability to execute arbitrary JavaScript
in the context of the end-user's browser.");
script_set_attribute(attribute:"see_also", value:"http://www.fortiguard.com/advisory/FG-IR-14-002");
script_set_attribute(attribute:"solution", value:"Upgrade to Fortinet FortiWeb 5.1.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/03");
script_set_attribute(attribute:"patch_publication_date", value:"2014/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortiweb");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.");
script_dependencies("fortinet_version.nbin");
script_require_keys("Host/Fortigate/model", "Host/Fortigate/version", "Host/Fortigate/build");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
app_name = "FortiWeb";
model = get_kb_item_or_exit("Host/Fortigate/model");
version = get_kb_item_or_exit("Host/Fortigate/version");
build = get_kb_item_or_exit("Host/Fortigate/build");
vuln = FALSE;
# Make sure device is FortiWeb.
if (!preg(string:model, pattern:"fortiweb", icase:TRUE)) audit(AUDIT_HOST_NOT, "a " + app_name + " device");
# Only 5.x is affected.
if (version =~ "^5\.")
{
max_affected = "5.0.3";
max_affected_build = 57;
fix = "5.1.0";
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
# If build number is available, this is the safest comparison.
# Otherwise compare version numbers.
if (build !~ "Unknown")
{
if (int(build) <= max_affected_build) vuln = TRUE;
}
else if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;
if (vuln)
{
port = 0;
set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
if (report_verbosity > 0)
{
report =
'\n Model : ' + model +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix +
'\n';
security_warning(extra:report, port:port);
}
else security_warning(port:port);
exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
{"published": "2014-04-15T00:00:00", "id": "FORTIWEB_FG-IR-14-002.NASL", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [{"differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:27", "bulletin": {"enchantments": {}, "published": "2014-04-15T00:00:00", "id": "FORTIWEB_FG-IR-14-002.NASL", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [], "cpe": [], "hash": "2103659810f78178d08bb4dbfc88c5e7dc540005e25f1bb24b8b39443ac9fdc1", "description": "The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.", "type": "nessus", "pluginID": "73530", "lastseen": "2016-09-26T17:24:27", "edition": 1, "title": "Fortinet FortiWeb 5.x < 5.1.0 XSS", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73530", "modified": "2015-04-23T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2013-7181"], "references": ["http://www.fortiguard.com/advisory/FG-IR-14-002"], "naslFamily": "CGI abuses : XSS", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73530);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/04/23 20:09:18 $\");\n\n script_cve_id(\"CVE-2013-7181\");\n script_bugtraq_id(65303);\n script_osvdb_id(102820);\n script_xref(name:\"CERT\", value:\"593118\");\n\n script_name(english:\"Fortinet FortiWeb 5.x < 5.1.0 XSS\");\n script_summary(english:\"Checks the version of FortiWeb.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a cross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.fortiguard.com/advisory/FG-IR-14-002\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Fortinet FortiWeb 5.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortiweb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\", \"Host/Fortigate/build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiWeb\";\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nbuild = get_kb_item_or_exit(\"Host/Fortigate/build\");\nvuln = FALSE;\n\n# Make sure device is FortiWeb.\nif (!preg(string:model, pattern:\"fortiweb\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a \" + app_name + \" device\");\n\n# Only 5.x is affected.\nif (version =~ \"^5\\.\")\n{\n max_affected = \"5.0.3\";\n max_affected_build = 57;\n fix = \"5.1.0\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n# If build number is available, this is the safest comparison.\n# Otherwise compare version numbers.\nif (build !~ \"Unknown\")\n{\n if (int(build) <= max_affected_build) vuln = TRUE;\n}\nelse if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;\n\nif (vuln)\n{\n port = 0;\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_warning(extra:report, port:port);\n }\n else security_warning(port:port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "hashmap": [{"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "bae6a614f57536659ef89e3a491d6030", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "bfa355546d6ebf05ab68c515317f2305", "key": "cvelist"}, {"hash": "fdcfef5c1623fa1c9200d46af4501528", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "525642db8265757482d6d1c71faf5f37", "key": "title"}, {"hash": "e7b3a915fb5018dc6c7b454c791cbb9d", "key": "href"}, {"hash": "16ad1d36056ef6d41d080cc8f7168ccf", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "9cc51583c024a754e50753d935240eca", "key": "references"}, {"hash": "3110310d810944dbf1b77d4fbc340e18", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}], "objectVersion": "1.2"}}], "description": "The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.", "hash": "d0c7abff561f26996f9a67e098e2da49fcd0629592997ad15cac8080272dcc0c", "enchantments": {"vulnersScore": 4.3}, "type": "nessus", "pluginID": "73530", "lastseen": "2017-10-29T13:37:40", "edition": 2, "cpe": ["cpe:/o:fortinet:fortiweb"], "title": "Fortinet FortiWeb 5.x < 5.1.0 XSS", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73530", "modified": "2015-04-23T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2013-7181"], "references": ["http://www.fortiguard.com/advisory/FG-IR-14-002"], "naslFamily": "CGI abuses : XSS", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73530);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/04/23 20:09:18 $\");\n\n script_cve_id(\"CVE-2013-7181\");\n script_bugtraq_id(65303);\n script_osvdb_id(102820);\n script_xref(name:\"CERT\", value:\"593118\");\n\n script_name(english:\"Fortinet FortiWeb 5.x < 5.1.0 XSS\");\n script_summary(english:\"Checks the version of FortiWeb.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a cross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.fortiguard.com/advisory/FG-IR-14-002\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Fortinet FortiWeb 5.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortiweb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\", \"Host/Fortigate/build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiWeb\";\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nbuild = get_kb_item_or_exit(\"Host/Fortigate/build\");\nvuln = FALSE;\n\n# Make sure device is FortiWeb.\nif (!preg(string:model, pattern:\"fortiweb\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a \" + app_name + \" device\");\n\n# Only 5.x is affected.\nif (version =~ \"^5\\.\")\n{\n max_affected = \"5.0.3\";\n max_affected_build = 57;\n fix = \"5.1.0\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n# If build number is available, this is the safest comparison.\n# Otherwise compare version numbers.\nif (build !~ \"Unknown\")\n{\n if (int(build) <= max_affected_build) vuln = TRUE;\n}\nelse if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;\n\nif (vuln)\n{\n port = 0;\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_warning(extra:report, port:port);\n }\n else security_warning(port:port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "9e0dd2d84677a3c8821eb0050dab8147", "key": "cpe"}, {"hash": "bfa355546d6ebf05ab68c515317f2305", "key": "cvelist"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "fdcfef5c1623fa1c9200d46af4501528", "key": "description"}, {"hash": "e7b3a915fb5018dc6c7b454c791cbb9d", "key": "href"}, {"hash": "3110310d810944dbf1b77d4fbc340e18", "key": "modified"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "bae6a614f57536659ef89e3a491d6030", "key": "pluginID"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}, {"hash": "9cc51583c024a754e50753d935240eca", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "16ad1d36056ef6d41d080cc8f7168ccf", "key": "sourceData"}, {"hash": "525642db8265757482d6d1c71faf5f37", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "objectVersion": "1.3"}
{"result": {"cve": [{"id": "CVE-2013-7181", "type": "cve", "title": "CVE-2013-7181", "description": "Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter.", "published": "2014-02-04T00:39:08", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181", "cvelist": ["CVE-2013-7181"], "lastseen": "2016-09-03T19:18:20"}], "cert": [{"id": "VU:593118", "type": "cert", "title": "Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability", "description": "### Overview\n\nFortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. ([CWE-79](<http://cwe.mitre.org/data/definitions/79.html>))\n\n### Description\n\n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**\n\nFortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. The \"`filter`\" parameter in the \"`/user/ldap_user/add`\" page is vulnerable to a reflected cross-site scripting attack. \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nThe vendor has released [FortiWeb 5.1.0](<http://www.fortiguard.com/advisory/FG-IR-14-002/>) to address this vulnerability. If you are unable to upgrade, please consider the following workaround. \n \n--- \n \n**Restrict access** \n \nAs a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Fortiweb interface using stolen credentials from a blocked network location. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nFortinet, Inc.| | 20 Nov 2013| 03 Feb 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23593118 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N \nTemporal | 3.3 | E:U/RL:ND/RC:UC \nEnvironmental | 3.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://www.fortiguard.com/advisory/FG-IR-14-002/>\n * <http://cwe.mitre.org/data/definitions/79.html>\n * <http://www.fortinet.com/products/fortiweb/>\n\n### Credit\n\nThanks to William Costa for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2013-7181](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181>)\n * Date Public: 03 Feb 2014\n * Date First Published: 03 Feb 2014\n * Date Last Updated: 04 Feb 2014\n * Document Revision: 15\n\n", "published": "2014-02-03T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.kb.cert.org/vuls/id/593118", "cvelist": ["CVE-2013-7181", "CVE-2013-7181"], "lastseen": "2016-02-03T09:13:24"}], "openvas": [{"id": "OPENVAS:1361412562310105206", "type": "openvas", "title": "FortiOS: FortiWeb Cross-Site Scripting Vulnerability", "description": "Fortiweb 5.0.3 and earlier versions contain a cross-site scripting vulnerability. The filter parameter in the URL ", "published": "2015-02-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105206", "cvelist": ["CVE-2013-7181"], "lastseen": "2018-04-11T11:30:02"}], "packetstorm": [{"id": "PACKETSTORM:125049", "type": "packetstorm", "title": "FortiWeb 5.0.3 Cross Site Scripting", "description": "", "published": "2014-02-04T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://packetstormsecurity.com/files/125049/FortiWeb-5.0.3-Cross-Site-Scripting.html", "cvelist": ["CVE-2013-7181"], "lastseen": "2016-12-05T22:20:03"}]}}
