ID FORTIWEB_FG-IR-14-002.NASL Type nessus Reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-01-02T00:00:00
Description
The remote host is running FortiWeb 5.x prior to 5.1.0. It is,
therefore, affected by a cross-site scripting vulnerability in the web
UI due to a failure to sanitize user-supplied input to the 'filter'
parameter in the '/user/ldap_user/add' script. An attacker could
potentially exploit this vulnerability to execute arbitrary JavaScript
in the context of the end-user's browser.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(73530);
script_version("1.7");
script_cvs_date("Date: 2019/11/26");
script_cve_id("CVE-2013-7181");
script_bugtraq_id(65303);
script_xref(name:"CERT", value:"593118");
script_name(english:"Fortinet FortiWeb 5.x < 5.1.0 XSS");
script_summary(english:"Checks the version of FortiWeb.");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,
therefore, affected by a cross-site scripting vulnerability in the web
UI due to a failure to sanitize user-supplied input to the 'filter'
parameter in the '/user/ldap_user/add' script. An attacker could
potentially exploit this vulnerability to execute arbitrary JavaScript
in the context of the end-user's browser.");
script_set_attribute(attribute:"see_also", value:"https://fortiguard.com/psirt/FG-IR-14-002");
script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiWeb 5.1.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/03");
script_set_attribute(attribute:"patch_publication_date", value:"2014/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortiweb");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("fortinet_version.nbin");
script_require_keys("Host/Fortigate/model", "Host/Fortigate/version", "Host/Fortigate/build");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
app_name = "FortiWeb";
model = get_kb_item_or_exit("Host/Fortigate/model");
version = get_kb_item_or_exit("Host/Fortigate/version");
build = get_kb_item_or_exit("Host/Fortigate/build");
vuln = FALSE;
# Make sure device is FortiWeb.
if (!preg(string:model, pattern:"fortiweb", icase:TRUE)) audit(AUDIT_HOST_NOT, "a " + app_name + " device");
# Only 5.x is affected.
if (version =~ "^5\.")
{
max_affected = "5.0.3";
max_affected_build = 57;
fix = "5.1.0";
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
# If build number is available, this is the safest comparison.
# Otherwise compare version numbers.
if (build !~ "Unknown")
{
if (int(build) <= max_affected_build) vuln = TRUE;
}
else if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;
if (vuln)
{
port = 0;
set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
if (report_verbosity > 0)
{
report =
'\n Model : ' + model +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix +
'\n';
security_warning(extra:report, port:port);
}
else security_warning(port:port);
exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
{"id": "FORTIWEB_FG-IR-14-002.NASL", "bulletinFamily": "scanner", "title": "Fortinet FortiWeb 5.x < 5.1.0 XSS", "description": "The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.", "published": "2014-04-15T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/73530", "reporter": "This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://fortiguard.com/psirt/FG-IR-14-002"], "cvelist": ["CVE-2013-7181"], "type": "nessus", "lastseen": "2021-01-01T02:34:56", "edition": 26, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-7181"]}, {"type": "cert", "idList": ["VU:593118"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105206"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125049"]}], "modified": "2021-01-01T02:34:56", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2021-01-01T02:34:56", "rev": 2}, "vulnersScore": 4.9}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73530);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2013-7181\");\n script_bugtraq_id(65303);\n script_xref(name:\"CERT\", value:\"593118\");\n\n script_name(english:\"Fortinet FortiWeb 5.x < 5.1.0 XSS\");\n script_summary(english:\"Checks the version of FortiWeb.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a cross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://fortiguard.com/psirt/FG-IR-14-002\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiWeb 5.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortiweb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\", \"Host/Fortigate/build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiWeb\";\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nbuild = get_kb_item_or_exit(\"Host/Fortigate/build\");\nvuln = FALSE;\n\n# Make sure device is FortiWeb.\nif (!preg(string:model, pattern:\"fortiweb\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a \" + app_name + \" device\");\n\n# Only 5.x is affected.\nif (version =~ \"^5\\.\")\n{\n max_affected = \"5.0.3\";\n max_affected_build = 57;\n fix = \"5.1.0\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n# If build number is available, this is the safest comparison.\n# Otherwise compare version numbers.\nif (build !~ \"Unknown\")\n{\n if (int(build) <= max_affected_build) vuln = TRUE;\n}\nelse if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;\n\nif (vuln)\n{\n port = 0;\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_warning(extra:report, port:port);\n }\n else security_warning(port:port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "naslFamily": "CGI abuses : XSS", "pluginID": "73530", "cpe": ["cpe:/o:fortinet:fortiweb"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T12:46:09", "description": "Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter.\nPer: http://www.kb.cert.org/vuls/id/593118\n\n\"Fortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. (CWE-79)\"", "edition": 3, "cvss3": {}, "published": "2014-02-04T05:39:00", "title": "CVE-2013-7181", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7181"], "modified": "2015-07-27T16:12:00", "cpe": ["cpe:/a:fortinet:fortiweb:5.0.3"], "id": "CVE-2013-7181", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:fortinet:fortiweb:5.0.3:*:*:*:*:*:*:*"]}], "cert": [{"lastseen": "2020-09-18T20:41:41", "bulletinFamily": "info", "cvelist": ["CVE-2013-7181"], "description": "### Overview \n\nFortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. ([CWE-79](<http://cwe.mitre.org/data/definitions/79.html>))\n\n### Description \n\n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**\n\nFortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. The \"`filter`\" parameter in the \"`/user/ldap_user/add`\" page is vulnerable to a reflected cross-site scripting attack. \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nThe vendor has released [FortiWeb 5.1.0](<http://www.fortiguard.com/advisory/FG-IR-14-002/>) to address this vulnerability. If you are unable to upgrade, please consider the following workaround. \n \n--- \n \n**Restrict access** \n \nAs a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Fortiweb interface using stolen credentials from a blocked network location. \n \n--- \n \n### Vendor Information\n\n593118\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Fortinet, Inc. Affected\n\nNotified: November 20, 2013 Updated: February 03, 2014 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N \nTemporal | 3.3 | E:U/RL:ND/RC:UC \nEnvironmental | 3.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.fortiguard.com/advisory/FG-IR-14-002/>\n * <http://cwe.mitre.org/data/definitions/79.html>\n * <http://www.fortinet.com/products/fortiweb/>\n\n### Acknowledgements\n\nThanks to William Costa for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-7181](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-7181>) \n---|--- \n**Date Public:** | 2014-02-03 \n**Date First Published:** | 2014-02-03 \n**Date Last Updated: ** | 2014-02-04 12:59 UTC \n**Document Revision: ** | 16 \n", "modified": "2014-02-04T12:59:00", "published": "2014-02-03T00:00:00", "id": "VU:593118", "href": "https://www.kb.cert.org/vuls/id/593118", "type": "cert", "title": "Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:36:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7181"], "description": "Fortiweb 5.0.3 and earlier versions contain a cross-site scripting vulnerability. The filter parameter in the URL ", "modified": "2018-10-26T00:00:00", "published": "2015-02-11T00:00:00", "id": "OPENVAS:1361412562310105206", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105206", "type": "openvas", "title": "FortiOS: FortiWeb Cross-Site Scripting Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fortiweb_FG-IR-14-002.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# FortiOS: FortiWeb Cross-Site Scripting Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:fortinet:fortiweb\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105206\");\n script_cve_id(\"CVE-2013-7181\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"FortiOS: FortiWeb Cross-Site Scripting Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://fortiguard.com/psirt/FG-IR-14-002\");\n\n script_tag(name:\"impact\", value:\"A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Upgrade to FortiWeb 5.1.0 or higher.\");\n\n script_tag(name:\"summary\", value:\"Fortiweb 5.0.3 and earlier versions contain a cross-site scripting vulnerability. The filter parameter in the URL '/user/ldap_user/add'\nis vulnerable to cross-site scripting attack.\");\n\n script_tag(name:\"affected\", value:\"FortiWeb 5.0.3 and lower.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-11 12:17:13 +0100 (Wed, 11 Feb 2015)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"FortiOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_fortiweb_version.nasl\");\n script_mandatory_keys(\"fortiweb/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nversion = get_app_version( cpe:CPE );\nif( ! version )\n version = get_kb_item(\"fortiweb/version\");\n\nif( ! version ) exit( 0 );\n\nfix = \"5.1.0\";\n\nif( version_is_less( version:version, test_version:fix ) )\n{\n model = get_kb_item(\"fortiweb/model\");\n if( ! isnull( model ) ) report = 'Model: ' + model + '\\n';\n report += 'Installed Version: ' + version + '\\nFixed Version: ' + fix + '\\n';\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:03", "description": "", "published": "2014-02-04T00:00:00", "type": "packetstorm", "title": "FortiWeb 5.0.3 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-7181"], "modified": "2014-02-04T00:00:00", "id": "PACKETSTORM:125049", "href": "https://packetstormsecurity.com/files/125049/FortiWeb-5.0.3-Cross-Site-Scripting.html", "sourceData": "`I. VULNERABILITY \n \n------------------------- \n \nXSS Reflected vulnerabilities in OS of FortiWeb v 5.0.3 \n \nCVE-2013-7181 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181> \n \n \nII. BACKGROUND \n \n------------------------- \n \nFortinet's industry-leading, Network Security Platforms deliver Next \nGeneration Firewall (NGFW) security with exceptional throughput, ultra \nlow latency, and multi-vector threat protection. \n \n \n \nIII. DESCRIPTION \n \n------------------------- \n \nHas been detected a XSS Reflected vulnerability in Fortiweb in \" \n/user/ldap_user/add\" parameter \"filter\" 5.0.3 , that allows the \nexecution of arbitrary HTML/script code to be executed in the context \nof the victim user's browser and/or Session Hijacking attack \n \n \n \n \n \nIV. PROOF OF CONCEPT \n \n------------------------- \n \nThe application does not validate the parameter filter in \" \n/user/ldap_user/add\". \n \n \n \n \nV. BUSINESS IMPACT \n \n------------------------- \n \n \n \nThat allows the execution attackers to hijack the authentication of \nadministrators. \n \n \n \nVI. REQUIREMENTS \n \n----------------------- \n \nAn Attacker needs to know the IP of the device. \n \nAn Administrator needs an authenticated connection to the device. \n \n \n \nVII. SYSTEMS AFFECTED \n \n------------------------- \n \nTry FortiWEB VM or appliance v5.0.3 \n \n \n \n \n \nVIII. SOLUTION \n \n------------------------- \n \nUpgrade to FortiWeb 5.1.0 or higher. \n \n \nBy William Costa \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125049/fortiweb503-xss.txt"}]}