FortiGate SSL VPN Portal XSS Vulnerability 'redir'@/remote/loginredir

Summary

Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.

Affected Products

FortiOS 6.0.0 -> 6.0.4
FortiOS 5.6.0 -> 5.6.7
FortiOS 5.4 and below.

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0
Workarounds:
For workaround on the unfixed versions, if the SSL-VPN web portal feature was enabled, disable the SSL-VPN web portal service by applying the following CLI commands:
For FortiOS 5.0 and below branches:
config vpn ssl settings
set sslvpn-enable disable
end
For FortiOS 5.2, 5.4 and 5.6 branches:
config vpn ssl settings
unset source-interface
end
Revision History:
2017-11-23 Initial version
2018-05-15 Clarify the workaround applied versions
2018-09-06 Correct the exploit condition and risk level
2019-05-15 Fixed version and Risk level updated

Acknowledgement

Fortinet is pleased to thank Stefan Viehböck from SEC Consult Vulnerability Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.

References

• https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html