PSIRT Advisory

FortiOS Reflected XSS in Web Proxy Disclaimer Response web page

Summary

A reflected XSS vulnerability exists in FortiOS web proxy disclaimer response web pages, potentially  exploitable by an unauthenticated attacker, via sending a maliciously crafted URL to the victim. The victim visiting the malicious URL would then have arbitrary javascript code executed in the security context of her/his browser.

Impact

Cross-site Scripting (XSS)

Affected Products

FortiOS 5.6.0
FortiOS 5.4.0 to 5.4.5
FortiOS 5.2.0 to 5.2.11

Solutions

Upgrade to FortiOS 5.2.12, 5.4.6 or 5.6.1

Workaround

In System->Replacement Messages->Web-proxy->"Web-proxy HTTP Error Page", remove the following default message content: 
              URL: %%PROTOCOL%%://%%URL%%

Update Revisions

2018-05-14 Add workaround for old FortiOS versions.
2017-11-03 Initial version.

Acknowledgement

Fortinet is pleased to thank "usd AG" and "Serge Ivanov of Payvision BV" for reporting this vulnerability under responsible disclosure.