FortiOS SSL VPN webportal user credentials present in plain text in client side javascript file

Summary

An information disclosure vulnerability exists in the SSL-VPN web portal of FortiOS: when pages bookmarked in the web portal use the Single sign-on (SSO) feature, the user's webportal's login and password are included in a javascript file sent client-side.
The leaked credential may potentially be captured by an attacker if additional session handling, access control or cross-site scripting vulnerabilities were to be discovered in the SSL-VPN web portal, or in the applications within (or in case of client-side vulnerabilities, in the user's browser).

Affected Products

FortiOS 6.0.0 and below versions

Solutions

Upgrade to FortiOS 5.6.6, 6.0.1 or versions after 6.0.1 Workaround: Avoid using the SSO feature in FortiOS SSL VPN bookmarks, especially if the applications inside the SSL VPN webportal are untrusted.

Acknowledgement

Fortinet is pleased to thank Stephan Neidhardt - link protect GmbH reporting this vulnerability under responsible disclosure.