Watchtowr Labs

**Name of the Vulnerable Software and Affected Versions** Sangfor Next-Gen Application Firewall version NGAF8.0.17 **Description** The Sangfor Next-Gen Application Firewall is affected by an operating system command injection issue. A remote, unauthenticated attacker can execute arbitrary commands by sending a specially crafted HTTP POST request to the `/cgi-bin/login.cgi` endpoint. This is due to improper handling of shell meta-characters within the `PHPSESSID` cookie. The vulnerability allows for remote code execution. **Recommendations** Sangfor Next-Gen Application Firewall version NGAF8.0.17: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sangfor Next-Gen Application Firewall version NGAF8.0.17 **Description** The issue is related to a source code disclosure vulnerability. A remote and unauthenticated attacker can obtain PHP source code by sending an HTTP request with an invalid `Content-Length` field. This allows the attacker to access sensitive information. **Recommendations** For Sangfor Next-Gen Application Firewall version NGAF8.0.17, consider restricting access to the HTTP endpoint that handles requests with the `Content-Length` field until a patch is available. As a temporary workaround, disabling the handling of invalid `Content-Length` fields may help mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sangfor Next-Gen Application Firewall version NGAF8.0.17 **Description** The issue allows a remote and unauthenticated attacker to bypass authentication and access administrative functionality. This is achieved by sending HTTP requests with a crafted `Y-forwarded-for` header. The vulnerability is related to an authentication bypass, which can be exploited using specially formed HTTP requests. **Recommendations** For Sangfor Next-Gen Application Firewall version NGAF8.0.17, consider restricting access to administrative functionality until a patch is available. As a temporary workaround, avoid using the `Y-forwarded-for` header in HTTP requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sangfor Next-Gen Application Firewall version NGAF8.0.17 **Description** The issue is related to an authenticated file disclosure vulnerability. A remote and authenticated attacker can read arbitrary system files using the "svpn html/loadfile.php" endpoint. This can be exploited by a remote and unauthenticated attacker under certain conditions. The vulnerability is associated with a lack of protection for service data, which can allow a remote attacker to disclose protected information. **Recommendations** For Sangfor Next-Gen Application Firewall version NGAF8.0.17, consider restricting access to the "svpn html/loadfile.php" endpoint to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of this endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sangfor Next-Gen Application Firewall version NGAF8.0.17 **Description** The issue is related to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the "/LogInOut.php" endpoint. This vulnerability is due to the mishandling of shell meta-characters in the `un` parameter. **Recommendations** For Sangfor Next-Gen Application Firewall version NGAF8.0.17, as a temporary workaround, consider restricting access to the "/LogInOut.php" endpoint until a patch is available. Additionally, avoid using the `un` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.