Fortigate Firewall selector Admin Interface XSS

2003-11-12T00:00:00
ID OSVDB:3296
Type osvdb
Reporter Maarten Hartsuijker(maarten@hartsuijker.com)
Modified 2003-11-12T00:00:00

Description

Vulnerability Description

Fortinet Fortigate Firewall contains a flaw that allows a remote Cross Site Scripting attack. This flaw exists because the application does not validate "button" variables upon submission to the "selector" script. This could allow a user to send a specially crafted request that would execute arbitrary code on the server leading to a loss of integrity.

Solution Description

Upgrade to version 2.50 MR5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Fortinet Fortigate Firewall contains a flaw that allows a remote Cross Site Scripting attack. This flaw exists because the application does not validate "button" variables upon submission to the "selector" script. This could allow a user to send a specially crafted request that would execute arbitrary code on the server leading to a loss of integrity.

Manual Testing Notes

http://[victim]/theme1/selector?button=status,monitor,session"><script>alert('oops')</script>&button_url=/system/status/status,/system/status/moniter,/system/status/session

http://[victim]/theme1/selector?button=status,monitor,session&button_url =/system/status/status"><script>alert('oops')</script>,/system/status/monite r,/system/status/session

http://[victim]/theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter"><script>alert('oops')</script>,/system/status/session

http://[victim]/theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter,/system/status/session"><script>alert('oops')</script>

References:

Vendor URL: http://www.fortinet.com/ Related OSVDB ID: 3289 Related OSVDB ID: 3294 Related OSVDB ID: 3295 Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0037.html ISS X-Force ID: 13742 Bugtraq ID: 9033