Fortinet FortiOS Multiple Vulnerabilities


Description   (#Several vulnerabilities have been identified in Fortinet FortiOS:#- open redirect: A remote attacker could exploit it by inciting their victims to follow a specially crafted link in order to redirect to a malicious website#- cross-site scripting: A remote attacker can exploit it in order to execute arbitrary Javascript or HTML code by inciting their victim into following a specially formed link#- CVE-2015-3626: stored cross-site scripting. A remote attacker can exploit it in order to execute arbitrary Javascript or HTML code by inciting their victim into following a specially formed link. The vulnerability is located in the "DHCP HOSTNAME" option.##These two vulnerabilities exist within the parameter "redir" in the Fortiweb web login portal.##Proofs of concept are available for the first two vulnerabilities.)
     
Vulnerable Products   Vulnerable OS:
FortiOS (Fortinet) - 5.0, 5.0.1, 5.0.10, 5.0.11, 5.0.12, ..., 5.0.8, 5.0.9, 5.2.0, 5.2.1, 5.2.2
     
Solution   - 5.4 branch: 5.4.0.
     
CVE   CVE-2015-3626
     
References   - Full Disclosure : FortiOS (Fortinet) - Open Redirect and Cross Site Scripting
http://seclists.org/fulldisclosure/2016/Mar/68
- FortiGuard Center : DHCP Hostname HTML Injection
https://fortiguard.com/advisory/dhcp-hostname-html-injection
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
Site with open redirect
4.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-03-17 

 Target Type 
Client 

 Possible exploit 
Remote