Friday, April 3, 2015

FortiMail expose users and admin login details via httpd debugs

I was playing around with  a fortimail  operating version "v5.1,build286,141023 (5.1.4 GA)" and found a serious flaw imho  & that exposes users.

The diag debug application httpd commands will expose the webgui login details regardless if it's for a  system  admin or local user.

Here's the diag debug command used ;


Now here's some debug outputs from a few trace-logs;

AdminLogin


Local_User


So even if the  user password is encrypted, the passwords will be displayed in the trace-log.


What this boils down to;

Any mail admin can access the  diag debug command and all user login/password or other admins access information by the enabling of a debug httpd trace


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

No comments:

Post a Comment