Fortiweb 5.1.x Cross Site Request Forgery

2014.05.09

Credit: William and Enrique

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-352

FortiWeb Cross-Site Request Forgery Vulnerability
Multiple CSRF vulnerabilities exist in the FortiWeb web administration console due to lack of CSRF token protection. This could allow remote attackers to perform administrative actions under specific conditions.
Impact
A remote unauthenticated attacker may be able to trick a user into making an unintentional request to the web administration interface, via link or JavaScript hosted on a malicious web page. This forged request may be treated as authentic and result in unauthorized actions in the web administration interface. A successful attack would require the administrator to be logged in, and attacker knowledge of the internal FortiWeb administration URL.
Affected Products
FortiWeb 5.1.x and lower.
Solutions
Upgrade to FortiWeb 5.2.0 or higher.
Acknowledgement
This vulnerability was separately reported by both William Costa and Enrique Nissim.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Fortiweb 5.1.x Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.