| Developers: | Sangfor Technologies |
| Technology: | IS - Firewalls |
Main article: Firewall
2023: Uncovering Multiple Vulnerabilities to Access Source Code
The monitoring and response center UserGate on October 11, 2023 warned of multiple vulnerabilities Chinese in the vendor's product - Sangfor's Next Gen Application. Firewall
With their help, attackers can gain access source code to and local (to files in "read only" mode), the ability to add their own SSO users through - SQL injection, as well as receive information about the configuration of domains connected to the device, including login and. password This is possible due to a weak mechanism authentications and subsequent manipulation of responses. servers Apache
In addition, the watchTour Labs study demonstrated Proof of Concept for two types of RCE: through the Username parameter on the login page (the parameter is passed directly to the shell) and the PHPSESSIONID cookie.
Sangfor has announced awareness of some of the mentioned vulnerabilities and the release of patch patches.
Specialists from watchTour Labs and the UserGate Monitoring and Response Center did not find them publicly available.
Sangfor could not confirm the remaining vulnerabilities, citing false positive.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |