Two vulnerabilities have been reported in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions.

1) The URL blocking functionality can be bypassed by specially-crafted HTTP requests that are terminated by the LF character instead of the CRLF characters. It is also possible to bypass the functionality via a HTTP/1.0 request with no host header or fragmented GET or POST requests.

The vulnerability has been reported in FortiOS v2.8MR10, v3beta, and in all FortiGate models running FortiGuard Web Filtering services.

2) An error exists in the FortiGate FTP proxy within the handling of the STOR command. This can be exploited to bypass the virus scanning functionality by an FTP client that proceeds to send the file content before the FTP server responds to the STOR command.

The vulnerability has been reported in FortiOS v2.8MR10, v3beta, and in all FortiGate models running FTP Anti-Virus scanning services.

Solution
Apply firmware updates.
Further details available in Customer Area

Provided and/or discovered by
1) Mathieu Dessus and Danux
2) Mathieu Dessus

Changelog
Further details available in Customer Area

Original Advisory
Fortinet:
http://www.fortiguardcenter.com/advisory/FGA-2006-09.html
http://www.fortiguardcenter.com/advisory/FGA-2006-10.html

http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html
http://archives.neohapsis.com/archives/bugtraq/2008-01/0033.html

Deep Links
Links available in Customer Area