PSIRT Advisory

FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests


A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.


Information Disclosure

Affected Products

FortiOS 5.6.3 to 5.6.7

FortiOS 6.0.0 to 6.0.4

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Other versions are not affected.


Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


As a temporary solution,  the only workaround  is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:

config vpn ssl settings
unset source-interface

Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.

As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully:

config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")

Revision History:

2019-05-24 Initial version
2019-06-04 Clarified the impacted versions and workarounds.


Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.