PSIRT Advisory

FortiGate SSL VPN web portal login redir XSS vulnerability

Summary

A Cross-site Scripting (XSS) vulnerability in FortiOS SSL-VPN web portalmay allow an authenticated user to inject arbitrary web code or HTML in the context of the victim's browser via the login redir parameter.

An URL Redirection Attack may also enable an authenticated user to redirect the victim to an arbitrary URL, via the redir parameter.

Note that the SSL-VPN web portal feature is not enabled by default in FortiOS.

Impact

Cross-site Scripting (XSS), URL Redirection Attack

Affected Products

The following versions are affected:

FortiOS 5.6.0 -> 5.6.2
FortiOS 5.4.0 -> 5.4.6
FortiOS 5.2.0 -> 5.2.12
FortiOS 5.0 and below

Solutions

FortiOS 5.6 branch: Upgrade to 5.6.3
FortiOS 5.4 branch: Upgrade to 5.4.7
FortiOS 5.2 branch: Upgrade to 5.2.13

Workarounds

If the SSL-VPN web portal feature was enabled, disable it by applying the following CLI commands:

For FortiOS 5.0 and below:
config vpn ssl settings
set sslvpn-enable disable
end

For FortiOS 5.2 and above:
config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Stefan Viehbck from SEC Consult Vulnerability Lab for reporting this vulnerability under responsible disclosure.