PSIRT Advisories

Potential Policy Bypass in FortiWeb Web Application Firewall

Summary

On May 2, 2012 a policy bypass vulnerability was publicly disclosed against Fortinet's FortiWeb Web Application Firewall. This vulnerability may exist if the unit is not configured to inspect and drop malformed / oversized requests. FortiWeb units have been protected against this vulnerability if the proper configuration is in place (see workaround).

Description

On May 2, 2012 a policy bypass vulnerability was publicly disclosed against Fortinet's FortiWeb Web Application Firewall. This vulnerability may exist if the unit is not configured to inspect and drop malformed / oversized requests. FortiWeb units have been protected against this vulnerability if the proper configuration is in place (see workaround).

Impact Detail

When FortiWeb units are not configured to block malformed traffic, large POST (data) or GET requests of more than 2 kilobytes will be forwarded from inspection. This would result in traffic not being matched to a policy, and potentially unwanted traffic making its way through the Web Application Firewall.

Affected Products

FortiWeb - All Versions Prior to and Including v4.3 Patch 6.

Solutions

Fortinet recommends to enable "Block Malformed Request" violation in "Protocol Constraints". In current versions of FortiWeb, this may be found under the Web Protection -> Protocol form.
Fortinet is working to a flexible solution for v4.3 Patch 7 which will further address this issue.

References