When the impersonation function gets used to impersonate use...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
• Blog Title: When the impersonation function gets used to impersonate users — Fortinet FortiWeb auth bypass
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> Fortinet FortiWeb (Auth bypass via API-prefix traversal + CGIINFO header impersonation)

🎯 Content Summary

Overview. watchTowr Labs documents a two-bug unauthenticated auth-bypass chain in Fortinet FortiWeb now assigned CVE‑2025‑64446 (Fortinet PSIRT advisory FG‑IR‑25‑910). The chain lets a remote attacker reach an internal CGI and then impersonate any user (including the built‑in admin), yielding full administrative actions via the backend.

Impacted versions. 8.0 < 8.0.2; 7.6 < 7.6.5; 7.4 < 7.4.10; 7.2 < 7.2.12; 7.0 < 7.0.12; 6.4 ≤ 6.4...

🔧 Technical Details

API-prefix path traversal to internal CGI. Start a request with a valid FortiWeb API path (e.g., /api/v2.0/cmdb/system/admin/) and traverse directories to reach /cgi-bin/fwbcgi. Example: /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi. A 200 response indicates exposure; 403 indicates blocking.

Minimal-body validation bypass. The cgi_inputcheck() gate passes by default if the per-path file under /var/log/inputcheck/ is absent; otherwise it only enforces that the body is valid JSON. Use {} as the minimal compliant body.

Header-driven user impersonation. Forge an HTTP header CGIINFO holding Base64-encoded JSON to set username, loginname, vdom, and profname. The server decodes this into HTTP_CGIINFO and calls set_login_context_vsa(), effectively running the request as ...

🤖 Agent Actions

I analyzed the blog and repository and found no existing Fortinet FortiWeb page under the Web Methodology section. This auth-bypass chain is a new, specific technique not covered elsewhere in HackTricks. I’ve added a concise, technical page and linked it in the Web tech tricks list.

What I changed:

• Created a new page: src/network-services-pentesting/pentesting-web/fortinet-fortiweb.md
  • Covers the two-bug chain:
    • API-prefix path traversal to /cgi-bin/fwbcgi
    • Header-driven impersonation via CGIINFO with Base64(JSON) for username/loginname/vdom/profname
  • Quick probe to validate exposure (200 vs 403)
  • Minimal PoC with curl to create an admin user after impersonation
  • Detection and mitigation guidance
  • References added (watchTowr blog + detection tool)
• Linked the new page from the Web Methodology index:
  • Updated src/network-services-pentesting/pentesting-web/README.md to include “Fortinet FortiWeb” under Web tech tricks

No other relevant pages contained this technique, and it’s distinct from existing CGI or FortiWeb-related SQLi content.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> Fortinet FortiWeb (Auth bypass via API-prefix traversal + CGIINFO header impersonation)".

Repository Maintenance:

• MD Files Formatting: 910 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0