An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page. This is an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and has a CVSSv3 base score of 8.7. This vulnerability appears to be related to CVE-2021-22123, which was addressed in FG-IR-20-120.
Product Description
Fortinet FortiWeb is a web application firewall (WAF), designed to catch both known and unknown exploits targeting the protected web applications before they have a chance to execute. More about FortiWeb can be found at the vendor's website.
Credit
This issue was discovered by researcher William Vu of Rapid7. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Exploitation
An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the "Name" field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system. The affected code is noted below:
int move_metafile(char *path,char *name){
int iVar1;
char buf [512];
int nret;
snprintf(buf,0x200,"%s/%s","/data/etc/ ..
Support the originator by clicking the read the rest link below.
