{"id":10505,"date":"2025-07-14T12:38:42","date_gmt":"2025-07-14T05:38:42","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10505"},"modified":"2026-02-05T12:38:53","modified_gmt":"2026-02-05T05:38:53","slug":"fortinet-va-lo-hong-sql-injection-nghiem-trong-tren-fortiweb-cve-2025-25257","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/14\/fortinet-va-lo-hong-sql-injection-nghiem-trong-tren-fortiweb-cve-2025-25257\/","title":{"rendered":"Fortinet v\u00e1 l\u1ed7 h\u1ed5ng SQL Injection nghi\u00eam tr\u1ecdng tr\u00ean FortiWeb (CVE-2025-25257)"},"content":{"rendered":"

Fortinet v\u1eeba ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 cho l\u1ed7 h\u1ed5ng CVE-2025-25257 trong s\u1ea3n ph\u1ea9m FortiWeb. L\u1ed7 h\u1ed5ng n\u00e0y \u0111\u01b0\u1ee3c ch\u1ea5m \u0111i\u1ec3m 9,6\/10 theo thang CVSS, cho ph\u00e9p tin t\u1eb7c ch\u01b0a x\u00e1c th\u1ef1c (unauthenticated attacker) th\u1ef1c thi c\u00e1c c\u00e2u l\u1ec7nh SQL \u0111\u1ed9c h\u1ea1i t\u1eeb xa v\u00e0 th\u1eadm ch\u00ed c\u00f3 th\u1ec3 chi\u1ebfm quy\u1ec1n h\u1ec7 th\u1ed1ng n\u1ebfu kh\u00f4ng \u0111\u01b0\u1ee3c x\u1eed l\u00fd k\u1ecbp th\u1eddi.<\/b><\/p>\n

\n
\"1752483170886.png\"<\/div>\n<\/div>\n

L\u1ed7 h\u1ed5ng b\u1eaft ngu\u1ed3n t\u1eeb m\u1ed9t h\u00e0m c\u00f3 t\u00ean get_fabric_user_by_token trong th\u00e0nh ph\u1ea7n Fabric Connector – n\u01a1i ch\u1ecbu tr\u00e1ch nhi\u1ec7m k\u1ebft n\u1ed1i FortiWeb v\u1edbi c\u00e1c s\u1ea3n ph\u1ea9m kh\u00e1c c\u1ee7a Fortinet.<\/p>\n

L\u1ed7i thu\u1ed9c v\u1ec1 nh\u00f3m SQL Injection (CWE-89) – m\u1ed9t l\u1ed7i ph\u1ed5 bi\u1ebfn nh\u01b0ng c\u1ef1c k\u1ef3 nguy hi\u1ec3m n\u1ebfu t\u1ed3n t\u1ea1i \u1edf c\u1ea5p \u0111\u1ed9 API. Khi FortiWeb nh\u1eadn m\u1ed9t y\u00eau c\u1ea7u HTTP c\u00f3 k\u00e8m theo Bearer token trong header (\u0111\u1ea7u y\u00eau c\u1ea7u). H\u1ec7 th\u1ed1ng s\u1ebd g\u1ecdi h\u00e0m get_fabric_user_by_token, sau \u0111\u00f3 g\u1ecdi ti\u1ebfp fabric_access_check.<\/p>\n

D\u1eef li\u1ec7u t\u1eeb token n\u00e0y kh\u00f4ng \u0111\u01b0\u1ee3c ki\u1ec3m tra v\u00e0 l\u00e0m s\u1ea1ch (sanitize) \u0111\u00fang c\u00e1ch m\u00e0 v\u1eabn \u0111\u01b0\u1ee3c \u0111\u01b0a th\u1eb3ng v\u00e0o truy v\u1ea5n SQL.<\/p>\n

K\u1ebft qu\u1ea3: Tin t\u1eb7c c\u00f3 th\u1ec3 t\u1ef1 vi\u1ebft v\u00e0 th\u1ef1c thi c\u00e2u l\u1ec7nh SQL t\u00f9y \u00fd, d\u00f9 kh\u00f4ng h\u1ec1 \u0111\u0103ng nh\u1eadp v\u00e0o h\u1ec7 th\u1ed1ng.<\/p>\n

\u0110\u1eb7c bi\u1ec7t nguy hi\u1ec3m: N\u1ebfu k\u1ebft h\u1ee3p c\u00e2u l\u1ec7nh SQL nh\u01b0 SELECT… INTO OUTFILE, hacker c\u00f3 th\u1ec3 ghi m\u1ed9t file \u0111\u1ed9c h\u1ea1i l\u00ean h\u1ec7 th\u1ed1ng (v\u00ed d\u1ee5, script Python), sau \u0111\u00f3 th\u1ef1c thi n\u00f3 \u0111\u1ec3 chi\u1ebfm quy\u1ec1n truy c\u1eadp \u2013 t\u1eeb SQL Injection chuy\u1ec3n th\u00e0nh Remote Code Execution (RCE).<\/p>\n

C\u00e1c phi\u00ean b\u1ea3n FortiWeb sau \u0111\u00e2y \u0111\u1ec1u b\u1ecb \u1ea3nh h\u01b0\u1edfng:<\/p>\n