ID FORTIWEB_FG-IR-14-002.NASL Type nessus Reporter Tenable Modified 2018-07-11T00:00:00
Description
The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(73530);
script_version("1.5");
script_cvs_date("Date: 2018/07/11 17:09:24");
script_cve_id("CVE-2013-7181");
script_bugtraq_id(65303);
script_xref(name:"CERT", value:"593118");
script_name(english:"Fortinet FortiWeb 5.x < 5.1.0 XSS");
script_summary(english:"Checks the version of FortiWeb.");
script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,
therefore, affected by a cross-site scripting vulnerability in the web
UI due to a failure to sanitize user-supplied input to the 'filter'
parameter in the '/user/ldap_user/add' script. An attacker could
potentially exploit this vulnerability to execute arbitrary JavaScript
in the context of the end-user's browser.");
script_set_attribute(attribute:"see_also", value:"http://www.fortiguard.com/advisory/FG-IR-14-002");
script_set_attribute(attribute:"solution", value:"Upgrade to Fortinet FortiWeb 5.1.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/03");
script_set_attribute(attribute:"patch_publication_date", value:"2014/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortiweb");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
script_dependencies("fortinet_version.nbin");
script_require_keys("Host/Fortigate/model", "Host/Fortigate/version", "Host/Fortigate/build");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
app_name = "FortiWeb";
model = get_kb_item_or_exit("Host/Fortigate/model");
version = get_kb_item_or_exit("Host/Fortigate/version");
build = get_kb_item_or_exit("Host/Fortigate/build");
vuln = FALSE;
# Make sure device is FortiWeb.
if (!preg(string:model, pattern:"fortiweb", icase:TRUE)) audit(AUDIT_HOST_NOT, "a " + app_name + " device");
# Only 5.x is affected.
if (version =~ "^5\.")
{
max_affected = "5.0.3";
max_affected_build = 57;
fix = "5.1.0";
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
# If build number is available, this is the safest comparison.
# Otherwise compare version numbers.
if (build !~ "Unknown")
{
if (int(build) <= max_affected_build) vuln = TRUE;
}
else if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;
if (vuln)
{
port = 0;
set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
if (report_verbosity > 0)
{
report =
'\n Model : ' + model +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix +
'\n';
security_warning(extra:report, port:port);
}
else security_warning(port:port);
exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
{"id": "FORTIWEB_FG-IR-14-002.NASL", "bulletinFamily": "scanner", "title": "Fortinet FortiWeb 5.x < 5.1.0 XSS", "description": "The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.", "published": "2014-04-15T00:00:00", "modified": "2018-07-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=73530", "reporter": "Tenable", "references": ["http://www.fortiguard.com/advisory/FG-IR-14-002"], "cvelist": ["CVE-2013-7181"], "type": "nessus", "lastseen": "2018-07-12T17:47:55", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fortinet:fortiweb"], "cvelist": ["CVE-2013-7181"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.", "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "d0c7abff561f26996f9a67e098e2da49fcd0629592997ad15cac8080272dcc0c", "hashmap": [{"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "9e0dd2d84677a3c8821eb0050dab8147", "key": "cpe"}, {"hash": "bae6a614f57536659ef89e3a491d6030", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "bfa355546d6ebf05ab68c515317f2305", "key": "cvelist"}, {"hash": "fdcfef5c1623fa1c9200d46af4501528", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "525642db8265757482d6d1c71faf5f37", "key": "title"}, {"hash": "e7b3a915fb5018dc6c7b454c791cbb9d", "key": "href"}, {"hash": "16ad1d36056ef6d41d080cc8f7168ccf", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "9cc51583c024a754e50753d935240eca", "key": "references"}, {"hash": "3110310d810944dbf1b77d4fbc340e18", "key": "modified"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=73530", "id": "FORTIWEB_FG-IR-14-002.NASL", "lastseen": "2017-10-29T13:37:40", "modified": "2015-04-23T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.3", "pluginID": "73530", "published": "2014-04-15T00:00:00", "references": ["http://www.fortiguard.com/advisory/FG-IR-14-002"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73530);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/04/23 20:09:18 $\");\n\n script_cve_id(\"CVE-2013-7181\");\n script_bugtraq_id(65303);\n script_osvdb_id(102820);\n script_xref(name:\"CERT\", value:\"593118\");\n\n script_name(english:\"Fortinet FortiWeb 5.x < 5.1.0 XSS\");\n script_summary(english:\"Checks the version of FortiWeb.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a cross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.fortiguard.com/advisory/FG-IR-14-002\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Fortinet FortiWeb 5.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortiweb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\", \"Host/Fortigate/build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiWeb\";\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nbuild = get_kb_item_or_exit(\"Host/Fortigate/build\");\nvuln = FALSE;\n\n# Make sure device is FortiWeb.\nif (!preg(string:model, pattern:\"fortiweb\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a \" + app_name + \" device\");\n\n# Only 5.x is affected.\nif (version =~ \"^5\\.\")\n{\n max_affected = \"5.0.3\";\n max_affected_build = 57;\n fix = \"5.1.0\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n# If build number is available, this is the safest comparison.\n# Otherwise compare version numbers.\nif (build !~ \"Unknown\")\n{\n if (int(build) <= max_affected_build) vuln = TRUE;\n}\nelse if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;\n\nif (vuln)\n{\n port = 0;\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_warning(extra:report, port:port);\n }\n else security_warning(port:port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "title": "Fortinet FortiWeb 5.x < 5.1.0 XSS", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:37:40"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2013-7181"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The remote host is running FortiWeb 5.x prior to 5.1.0. It is, therefore, affected by a cross-site scripting vulnerability in the web UI due to a failure to sanitize user-supplied input to the 'filter' parameter in the '/user/ldap_user/add' script. An attacker could potentially exploit this vulnerability to execute arbitrary JavaScript in the context of the end-user's browser.", "edition": 1, "enchantments": {}, "hash": "2103659810f78178d08bb4dbfc88c5e7dc540005e25f1bb24b8b39443ac9fdc1", "hashmap": [{"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "bae6a614f57536659ef89e3a491d6030", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "bfa355546d6ebf05ab68c515317f2305", "key": "cvelist"}, {"hash": "fdcfef5c1623fa1c9200d46af4501528", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "525642db8265757482d6d1c71faf5f37", "key": "title"}, {"hash": "e7b3a915fb5018dc6c7b454c791cbb9d", "key": "href"}, {"hash": "16ad1d36056ef6d41d080cc8f7168ccf", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "9cc51583c024a754e50753d935240eca", "key": "references"}, {"hash": "3110310d810944dbf1b77d4fbc340e18", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "91a222bb1150aecb4099787c2d7f68e4", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=73530", "id": "FORTIWEB_FG-IR-14-002.NASL", "lastseen": "2016-09-26T17:24:27", "modified": "2015-04-23T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.2", "pluginID": "73530", "published": "2014-04-15T00:00:00", "references": ["http://www.fortiguard.com/advisory/FG-IR-14-002"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73530);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2015/04/23 20:09:18 $\");\n\n script_cve_id(\"CVE-2013-7181\");\n script_bugtraq_id(65303);\n script_osvdb_id(102820);\n script_xref(name:\"CERT\", value:\"593118\");\n\n script_name(english:\"Fortinet FortiWeb 5.x < 5.1.0 XSS\");\n script_summary(english:\"Checks the version of FortiWeb.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a cross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.fortiguard.com/advisory/FG-IR-14-002\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Fortinet FortiWeb 5.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortiweb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\", \"Host/Fortigate/build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiWeb\";\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nbuild = get_kb_item_or_exit(\"Host/Fortigate/build\");\nvuln = FALSE;\n\n# Make sure device is FortiWeb.\nif (!preg(string:model, pattern:\"fortiweb\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a \" + app_name + \" device\");\n\n# Only 5.x is affected.\nif (version =~ \"^5\\.\")\n{\n max_affected = \"5.0.3\";\n max_affected_build = 57;\n fix = \"5.1.0\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n# If build number is available, this is the safest comparison.\n# Otherwise compare version numbers.\nif (build !~ \"Unknown\")\n{\n if (int(build) <= max_affected_build) vuln = TRUE;\n}\nelse if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;\n\nif (vuln)\n{\n port = 0;\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_warning(extra:report, port:port);\n }\n else security_warning(port:port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "title": "Fortinet FortiWeb 5.x < 5.1.0 XSS", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:27"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "9e0dd2d84677a3c8821eb0050dab8147"}, {"key": "cvelist", "hash": "bfa355546d6ebf05ab68c515317f2305"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "fdcfef5c1623fa1c9200d46af4501528"}, {"key": "href", "hash": "e7b3a915fb5018dc6c7b454c791cbb9d"}, {"key": "modified", "hash": "e3da22819dd9cc8296d561d46b4d725a"}, {"key": "naslFamily", "hash": "61e021375865ee20d8f9e2562510b86f"}, {"key": "pluginID", "hash": "bae6a614f57536659ef89e3a491d6030"}, {"key": "published", "hash": "91a222bb1150aecb4099787c2d7f68e4"}, {"key": "references", "hash": "9cc51583c024a754e50753d935240eca"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "c1c1e71b9d10ab4858f486d050a887b5"}, {"key": "title", "hash": "525642db8265757482d6d1c71faf5f37"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "cd8bbb56938cc91a5ccb485a3d4ae30ca854208de3159edb0426eedf4eb8c32e", "viewCount": 0, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73530);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/11 17:09:24\");\n\n script_cve_id(\"CVE-2013-7181\");\n script_bugtraq_id(65303);\n script_xref(name:\"CERT\", value:\"593118\");\n\n script_name(english:\"Fortinet FortiWeb 5.x < 5.1.0 XSS\");\n script_summary(english:\"Checks the version of FortiWeb.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a cross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running FortiWeb 5.x prior to 5.1.0. It is,\ntherefore, affected by a cross-site scripting vulnerability in the web\nUI due to a failure to sanitize user-supplied input to the 'filter'\nparameter in the '/user/ldap_user/add' script. An attacker could\npotentially exploit this vulnerability to execute arbitrary JavaScript\nin the context of the end-user's browser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.fortiguard.com/advisory/FG-IR-14-002\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Fortinet FortiWeb 5.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortiweb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\", \"Host/Fortigate/build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiWeb\";\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nbuild = get_kb_item_or_exit(\"Host/Fortigate/build\");\nvuln = FALSE;\n\n# Make sure device is FortiWeb.\nif (!preg(string:model, pattern:\"fortiweb\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a \" + app_name + \" device\");\n\n# Only 5.x is affected.\nif (version =~ \"^5\\.\")\n{\n max_affected = \"5.0.3\";\n max_affected_build = 57;\n fix = \"5.1.0\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\n# If build number is available, this is the safest comparison.\n# Otherwise compare version numbers.\nif (build !~ \"Unknown\")\n{\n if (int(build) <= max_affected_build) vuln = TRUE;\n}\nelse if (ver_compare(ver:version, fix:max_affected, strict:FALSE) <= 0) vuln = TRUE;\n\nif (vuln)\n{\n port = 0;\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_warning(extra:report, port:port);\n }\n else security_warning(port:port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "naslFamily": "CGI abuses : XSS", "pluginID": "73530", "cpe": ["cpe:/o:fortinet:fortiweb"]}
{"result": {"cve": [{"lastseen": "2016-09-03T19:18:20", "references": ["http://www.kb.cert.org/vuls/id/593118", "http://www.securityfocus.com/bid/65303", "http://www.fortiguard.com/advisory/FG-IR-14-002/", "http://www.securitytracker.com/id/1029731", "http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0015.html"], "edition": 1, "description": "Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter.", "reporter": "NVD", "published": "2014-02-04T00:39:08", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2013-7181", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-7181"], "scanner": [], "modified": "2015-07-27T12:12:36", "cpe": ["cpe:/a:fortinet:fortiweb:5.0.3"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181", "id": "CVE-2013-7181", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cert": [{"lastseen": "2016-02-03T09:13:24", "references": ["http://cwe.mitre.org/data/definitions/79.html", "http://cwe.mitre.org/data/definitions/79.html", "http://cwe.mitre.org/data/definitions/79.html", "http://www.fortinet.com/products/fortiweb/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181", "http://www.fortiguard.com/advisory/FG-IR-14-002/", "http://www.fortiguard.com/advisory/FG-IR-14-002/"], "description": "### Overview\n\nFortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. ([CWE-79](<http://cwe.mitre.org/data/definitions/79.html>))\n\n### Description\n\n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**\n\nFortinet Fortiweb 5.0.3, and possibly earlier versions, contains a cross-site scripting vulnerability. The \"`filter`\" parameter in the \"`/user/ldap_user/add`\" page is vulnerable to a reflected cross-site scripting attack. \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. \n \n--- \n \n### Solution\n\n**Apply an Update** \n \nThe vendor has released [FortiWeb 5.1.0](<http://www.fortiguard.com/advisory/FG-IR-14-002/>) to address this vulnerability. If you are unable to upgrade, please consider the following workaround. \n \n--- \n \n**Restrict access** \n \nAs a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Fortiweb interface using stolen credentials from a blocked network location. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nFortinet, Inc.| | 20 Nov 2013| 03 Feb 2014 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23593118 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N \nTemporal | 3.3 | E:U/RL:ND/RC:UC \nEnvironmental | 3.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://www.fortiguard.com/advisory/FG-IR-14-002/>\n * <http://cwe.mitre.org/data/definitions/79.html>\n * <http://www.fortinet.com/products/fortiweb/>\n\n### Credit\n\nThanks to William Costa for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2013-7181](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181>)\n * Date Public: 03 Feb 2014\n * Date First Published: 03 Feb 2014\n * Date Last Updated: 04 Feb 2014\n * Document Revision: 15\n\n", "edition": 1, "reporter": "CERT", "published": "2014-02-03T00:00:00", "title": "Fortinet Fortiweb 5.0.3 contains a reflected cross-site scripting vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "cert", "bulletinFamily": "info", "cvelist": ["CVE-2013-7181", "CVE-2013-7181"], "modified": "2014-02-04T00:00:00", "id": "VU:593118", "href": "https://www.kb.cert.org/vuls/id/593118", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-04-11T11:30:02", "references": ["https://fortiguard.com/psirt/FG-IR-14-002"], "pluginID": "1361412562310105206", "description": "Fortiweb 5.0.3 and earlier versions contain a cross-site scripting vulnerability. The filter parameter in the URL ", "edition": 2, "reporter": "This script is Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-02-11T00:00:00", "title": "FortiOS: FortiWeb Cross-Site Scripting Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "FortiOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7181"], "modified": "2018-04-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105206", "id": "OPENVAS:1361412562310105206", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fortiweb_FG-IR-14-002.nasl 9415 2018-04-10 06:55:50Z cfischer $\n#\n# FortiOS: FortiWeb Cross-Site Scripting Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:fortinet:fortiweb\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105206\");\n script_cve_id(\"CVE-2013-7181\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_version (\"$Revision: 9415 $\");\n\n script_name(\"FortiOS: FortiWeb Cross-Site Scripting Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://fortiguard.com/psirt/FG-IR-14-002\");\n\n script_tag(name: \"impact\" , value:\"A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.\");\n\n script_tag(name: \"vuldetect\" , value:\"Check the version\");\n script_tag(name: \"solution\" , value:\"Upgrade to FortiWeb 5.1.0 or higher.\");\n\n script_tag(name: \"summary\" , value:\"Fortiweb 5.0.3 and earlier versions contain a cross-site scripting vulnerability. The filter parameter in the URL '/user/ldap_user/add'\nis vulnerable to cross-site scripting attack.\");\n\n script_tag(name: \"affected\" , value:\"FortiWeb 5.0.3 and lower.\");\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-10 08:55:50 +0200 (Tue, 10 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-11 12:17:13 +0100 (Wed, 11 Feb 2015)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"FortiOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_fortiweb_version.nasl\");\n script_mandatory_keys(\"fortiweb/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nversion = get_app_version( cpe:CPE );\nif( ! version )\n version = get_kb_item(\"fortiweb/version\");\n\nif( ! version ) exit( 0 );\n\nfix = \"5.1.0\";\n\nif( version_is_less( version:version, test_version:fix ) )\n{\n model = get_kb_item(\"fortiweb/model\");\n if( ! isnull( model ) ) report = 'Model: ' + model + '\\n';\n report += 'Installed Version: ' + version + '\\nFixed Version: ' + fix + '\\n';\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:03", "references": [], "edition": 1, "description": "", "reporter": "William Costa", "published": "2014-02-04T00:00:00", "type": "packetstorm", "title": "FortiWeb 5.0.3 Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-7181"], "modified": "2014-02-04T00:00:00", "href": "https://packetstormsecurity.com/files/125049/FortiWeb-5.0.3-Cross-Site-Scripting.html", "id": "PACKETSTORM:125049", "sourceData": "`I. VULNERABILITY \n \n------------------------- \n \nXSS Reflected vulnerabilities in OS of FortiWeb v 5.0.3 \n \nCVE-2013-7181 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7181> \n \n \nII. BACKGROUND \n \n------------------------- \n \nFortinet's industry-leading, Network Security Platforms deliver Next \nGeneration Firewall (NGFW) security with exceptional throughput, ultra \nlow latency, and multi-vector threat protection. \n \n \n \nIII. DESCRIPTION \n \n------------------------- \n \nHas been detected a XSS Reflected vulnerability in Fortiweb in \" \n/user/ldap_user/add\" parameter \"filter\" 5.0.3 , that allows the \nexecution of arbitrary HTML/script code to be executed in the context \nof the victim user's browser and/or Session Hijacking attack \n \n \n \n \n \nIV. PROOF OF CONCEPT \n \n------------------------- \n \nThe application does not validate the parameter filter in \" \n/user/ldap_user/add\". \n \n \n \n \nV. BUSINESS IMPACT \n \n------------------------- \n \n \n \nThat allows the execution attackers to hijack the authentication of \nadministrators. \n \n \n \nVI. REQUIREMENTS \n \n----------------------- \n \nAn Attacker needs to know the IP of the device. \n \nAn Administrator needs an authenticated connection to the device. \n \n \n \nVII. SYSTEMS AFFECTED \n \n------------------------- \n \nTry FortiWEB VM or appliance v5.0.3 \n \n \n \n \n \nVIII. SOLUTION \n \n------------------------- \n \nUpgrade to FortiWeb 5.1.0 or higher. \n \n \nBy William Costa \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125049/fortiweb503-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}}
