Skip to content
Nuclei Templates

Fortinet FortiOS - Open Redirect/Cross-Site Scripting

ID: CVE-2016-3978

Severity: medium

Author: 0x_Akoko

Tags: cve2016,cve,redirect,fortinet,fortios,seclists

Description

Section titled “Description”

FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the “redirect” parameter to “login.”

YAML Source

Section titled “YAML Source”
id: CVE-2016-3978


info:
  name: Fortinet FortiOS  - Open Redirect/Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.
  remediation: |
    Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.
  reference:
    - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3978
    - http://seclists.org/fulldisclosure/2016/Mar/68
    - http://www.securitytracker.com/id/1035332
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-3978
    cwe-id: CWE-79
    epss-score: 0.00217
    epss-percentile: 0.59667
    cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortios
    shodan-query:
      - http.html:"/remote/login" "xxxxxxxx"
      - http.favicon.hash:945408572
      - cpe:"cpe:2.3:o:fortinet:fortios"
      - port:10443 http.favicon.hash:945408572
    fofa-query:
      - body="/remote/login" "xxxxxxxx"
      - icon_hash=945408572
  tags: cve2016,cve,redirect,fortinet,fortios,seclists


http:
  - method: GET
    path:
      - '{{BaseURL}}/login?redir=http://www.interact.sh'


    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 4b0a00483046022100f7e1e5e594b382c0c16b6f0c31fc2d9610db7284390810ae9a9a14b7f556ad19022100ac91a8e69fad91b74d3ae6af80107d6ab08e1cb586555d730839ecb69d62b539:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2016/CVE-2016-3978.yaml"

View on Github