PSIRT Advisory

Potential Web Vulnerabilities in FortiMail

Summary

Input filter bypass and exception handling vulnerabilities can be used by an attacker to hijack administrator or customer sessions within certain conditions.

Description

Input filter bypass and exception handling vulnerabilities can be used by an attacker to hijack administrator or customer sessions within certain conditions.

Impact

Exception Handling and Input Filter Bypass

Affected Products

FortiMail IBE Appliances 200D, 400C, VM2000, 2000B and 5002B.

Solutions

This was fixed and released with FortiMail 4.3.4 on December 12th, 2012 as well as FortiMail 5.0.0. Though this is rated as high and requires a sophisticated attack for session hijacking or targeted information disclosure, it is recommended to upgrade to close the potential attack vectors.

Acknowledgement

Benjamin Kunz Mejri of Vulnerability Laboratory Research Team