ID

VAR-200512-0019


CVE

CVE-2005-3058


TITLE

Fortinet FortiGate URL Check for filter bypass vulnerabilities

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

DESCRIPTION

Interpretation conflict in Fortinet FortiGate 2.8, running FortiOS 2.8MR10 and v3beta, allows remote attackers to bypass the URL blocker via an (1) HTTP request terminated with a line feed (LF) and not carriage return line feed (CRLF) or (2) HTTP request with no Host field, which is still processed by most web servers without violating RFC2616. Fortinet FortiGate is prone to a vulnerability that could allow users to bypass the device's URL filtering. FortiGate devices running FortiOS v2.8MR10 and v3beta are vulnerable to this issue. Other versions may also be affected. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. TITLE: FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities SECUNIA ADVISORY ID: SA18844 VERIFY ADVISORY: http://secunia.com/advisories/18844/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ DESCRIPTION: Mathieu Dessus has reported two vulnerabilities in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions. 1) The URL blocking functionality can be bypassed by specially-crafted HTTP requests that are terminated by the CR character instead of the CRLF characters. It is also possible to bypass the functionality via a HTTP/1.0 request with no host header. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. 2) The virus scanning functionality can be bypassed when sending files over FTP under certain conditions. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. SOLUTION: Do not rely on URL blocking as the only means of blocking users' access. Desktop-based on-access virus scanners should be used together with server-based virus scanners. PROVIDED AND/OR DISCOVERED BY: Mathieu Dessus ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2005-3058 // BID: 16599 // VULHUB: VHN-14267 // PACKETSTORM: 43767

AFFECTED PRODUCTS

vendor:fortinetmodel:fortigatescope:eqversion:2.8

Trust: 1.6

vendor:fortinetmodel:fortiosscope:lteversion:3_beta

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:2.8_mr10

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:2.8_mr10

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:3_beta

Trust: 0.6

vendor:fortinetmodel:fortios betascope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.80

Trust: 0.3

vendor:fortinetmodel:fortios mr5scope:eqversion:2.50

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.50

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.36

Trust: 0.3

vendor:fortinetmodel:fortios mr10scope:eqversion:2.8

Trust: 0.3

vendor:fortinetmodel:fortios 0mr4scope:eqversion:2.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortios mr12scope:neversion:2.80

Trust: 0.3

sources: BID: 16599 // CNNVD: CNNVD-200512-899 // NVD: CVE-2005-3058

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2005-3058
value: HIGH

Trust: 1.0

CNNVD: CNNVD-200512-899
value: HIGH

Trust: 0.6

VULHUB: VHN-14267
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2005-3058
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-14267
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-14267 // CNNVD: CNNVD-200512-899 // NVD: CVE-2005-3058

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.1

sources: VULHUB: VHN-14267 // NVD: CVE-2005-3058

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-14267

EXTERNAL IDS

db:NVDid:CVE-2005-3058

Trust: 2.0

db:BIDid:16599

Trust: 2.0

db:SECUNIAid:18844

Trust: 1.8

db:VUPENid:ADV-2006-0539

Trust: 1.7

db:CNNVDid:CNNVD-200512-899

Trust: 0.7

db:XFid:24626

Trust: 0.6

db:FULLDISCid:20060213 URL FILTER BYPASS IN FORTINET

Trust: 0.6

db:BUGTRAQid:20060213 URL FILTER BYPASS IN FORTINET

Trust: 0.6

db:NSFOCUSid:8486

Trust: 0.6

db:EXPLOIT-DBid:27203

Trust: 0.1

db:SEEBUGid:SSVID-80820

Trust: 0.1

db:VULHUBid:VHN-14267

Trust: 0.1

db:PACKETSTORMid:43767

Trust: 0.1

sources: VULHUB: VHN-14267 // BID: 16599 // PACKETSTORM: 43767 // CNNVD: CNNVD-200512-899 // NVD: CVE-2005-3058

REFERENCES

url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-february/042140.html

Trust: 1.8

url:http://www.securityfocus.com/bid/16599

Trust: 1.7

url:http://www.fortiguard.com/advisory/fga-2006-10.html

Trust: 1.7

url:http://secunia.com/advisories/18844

Trust: 1.7

url:http://www.securityfocus.com/archive/1/424858/100/0/threaded

Trust: 1.1

url:http://www.vupen.com/english/advisories/2006/0539

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/24626

Trust: 1.1

url:http://xforce.iss.net/xforce/xfdb/24626

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/424858/100/0/threaded

Trust: 0.6

url:http://www.frsirt.com/english/advisories/2006/0539

Trust: 0.6

url:http://www.nsfocus.net/vulndb/8486

Trust: 0.6

url:http://fortinet.com/fortiguardcenter/url_vuln.html

Trust: 0.3

url:http://www.fortinet.com/

Trust: 0.3

url:/archive/1/485794

Trust: 0.3

url:/archive/1/485813

Trust: 0.3

url:/archive/1/424858

Trust: 0.3

url:http://secunia.com/product/6802/

Trust: 0.1

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-february/042139.html

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/advisories/18844/

Trust: 0.1

url:http://secunia.com/product/2289/

Trust: 0.1

sources: VULHUB: VHN-14267 // BID: 16599 // PACKETSTORM: 43767 // CNNVD: CNNVD-200512-899 // NVD: CVE-2005-3058

CREDITS

Mathieu Dessus mdessus@gmail.com

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

SOURCES

db:VULHUBid:VHN-14267
db:BIDid:16599
db:PACKETSTORMid:43767
db:CNNVDid:CNNVD-200512-899
db:NVDid:CVE-2005-3058

LAST UPDATE DATE

2024-11-23T21:49:52.434000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-14267date:2018-10-19T00:00:00
db:BIDid:16599date:2008-01-04T20:19:00
db:CNNVDid:CNNVD-200512-899date:2009-09-05T00:00:00
db:NVDid:CVE-2005-3058date:2024-11-21T00:01:01.887

SOURCES RELEASE DATE

db:VULHUBid:VHN-14267date:2005-12-31T00:00:00
db:BIDid:16599date:2006-02-13T00:00:00
db:PACKETSTORMid:43767date:2006-02-13T19:29:16
db:CNNVDid:CNNVD-200512-899date:2005-12-31T00:00:00
db:NVDid:CVE-2005-3058date:2005-12-31T05:00:00