HTTP Host header attacks against web proxy disclaimer response webpage

Summary

The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted "Host" headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position (i.e. able to modify the HTTP requests of the potential victim before they reach the web proxy), or poisons a web cache used by the potential victim.

In the latter attack scenario, the tainted disclaimer web page being cached, the XSS attack can be considered as persistent.

Affected Products

FortiOS 5.6.0 to 5.6.2
FortiOS 5.4.0 to 5.4.7
FortiOS 5.2 and lower versions.

Solutions

FortiOS 5.6 branch: Upgrade to 5.6.3
FortiOS 5.4 branch: Upgrade to 5.4.8
FortiOS 5.2 and lower versions: Upgrade to branch 5.4 or above, or resort to Workarounds below.
Workarounds:
In System->Replacement Messages->Web-proxy->"Web-proxy HTTP Error Page",
remove the following default message content:
URL: %%PROTOCOL%%://%%URL%%

Acknowledgement

Fortinet is pleased to thank "Dhiraj Shrikant Datar, Paramount Computer Systems FZ LLC" for reporting this vulnerability under responsible disclosure.