PSIRT

FortiWeb Cross-Site Request Forgery Vulnerability

Description

Multiple CSRF vulnerabilities exist in the FortiWeb web administration console due to lack of CSRF token protection. This could allow remote attackers to perform administrative actions under specific conditions.

Impact Detail

A remote unauthenticated attacker may be able to trick a user into making an unintentional request to the web administration interface, via link or JavaScript hosted on a malicious web page. This forged request may be treated as authentic and result in unauthorized actions in the web administration interface. A successful attack would require the administrator to be logged in, and attacker knowledge of the internal FortiWeb administration URL.

Affected Products

FortiWeb 5.1.x and lower.

Solutions

Upgrade to FortiWeb 5.2.0 or higher.

Acknowledgement

This vulnerability was separately reported by both William Costa and Enrique Nissim.

IR Number	FG-IR-14-013
Date	May 2, 2014
Component	GUI
Severity	Medium
Impact	Authorization Bypass
CVE ID	CVE-2014-3115
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

FortiWeb Cross-Site Request Forgery Vulnerability

Description

Impact Detail

Affected Products

Solutions

Acknowledgement

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

About FortiGuard Labs

Partners

PSIRT

FortiWeb Cross-Site Request Forgery Vulnerability

Description

Impact Detail

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center