PSIRT Advisories

Http debug commands in FortiMail exposes users credentials to admins

description-logo Description

FortiMail's "diag debug application httpd" set of commands can be used to capture the credentials entered in the admin WebGui and the webmail login page forms. The debug commands can be executed by super_admin users and admin users.

Impact Detail

FortiMail's users' credentials may be captured by super_admins and admins.

Affected Products

FortiMail 5.0.3 to 5.2.3. Previous versions are not affected.

Solutions

Upgrade to 5.2.4.
There is currently no workaround to disable the debug command in 5.1 and 5.0.