PSIRTFortiGate SSL VPN web portal login redir XSS vulnerability
Summary
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
Affected Products
FortiOS 6.0.0 -> 6.0.4FortiOS 5.6.0 -> 5.6.7
FortiOS 5.4 and below.
Solutions
Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0 Workarounds: For workaround on the unfixed versions, if the SSL-VPN web portal feature was enabled, disable the SSL-VPN web portal service by applying the following CLI commands: For FortiOS 5.0 and below branches: config vpn ssl settings set sslvpn-enable disable end For FortiOS 5.2, 5.4 and 5.6 branches: config vpn ssl settings unset source-interface end Revision History: 2017-11-23 Initial version 2018-05-15 Clarify the workaround applied versions 2018-09-06 Correct the exploit condition and risk level 2019-05-15 Fixed version and Risk level updatedAcknowledgement
Fortinet is pleased to thank Stefan Viehböck from SEC Consult Vulnerability Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.