PSIRT Advisories

FortiWeb - OS command injection due to direct input interpolation in API controllers

Summary

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute arbitrary code or commands via crafted HTTP requests to ApplicationDelivery, JsonProtection and WebProtection controllers.

Affected Products

FortiWeb version 6.4.1 and below
FortiWeb version 6.3.16 and below
FortiWeb version 6.2.6 and below

Solutions

Upgrade to the upcoming FortiWeb version 7.0.0 or above

Upgrade to FortiWeb version 6.4.2 or above

Upgrade to FortiWeb version 6.3.17 or above

Upgrade to FortiWeb version 6.2.7 or above

 

Fix for FortiWeb versions 6.1, 6.0, 5.9 to be confirmed.

Acknowledgement

Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.