PSIRTWeb application firewall rules bypass by using an empty filename
Summary
Two improper handling of syntactically invalid structure vulnerabilities [CWE-228] in FortiWeb may allow an unauthenticated attacker to bypass web firewall protections via HTTP/S crafted requests.
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 7.6 | Not affected | Not Applicable |
| FortiWeb 7.4 | 7.4.0 through 7.4.6 | Upgrade to 7.4.7 or above |
| FortiWeb 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiWeb 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiWeb 6.4 | Not affected | Not Applicable |
MANDATORY steps to enable the fix :
Update to the latest FDS version
Approve signature 050240001
Enable signature policy in corresponding Web Protection Profile, "Say Standard Protection"
Go to Web Protection/Input Validation/File Security/File Security Rule
Click Create New, set name to "file_security"
In "Request URL Type" choose "Regular Expression" in "Request URL"
Add "/" Click "OK"
Go to Web Protection/Input Validation/File Security/File Security Policy
Click Create New
Set a name say file_test
Enable "Signature Detection", Click "OK"
Click "Create New", Select the above added "File Security Rule", Click "OK"
Acknowledgement
Fortinet is pleased to thank Nikola Kojic, RAS-IT | https://www.ras-it.rs, and Qi Wang(@eki) and Jianjun Chen from Tsinghua University & Zhongguancun Lab for reporting these vulnerabilities under responsible disclosure.Timeline
2025-03-11: Initial publication2025-03-13: Added FWB 7.4 solution