PSIRT Advisory

FortiOS SSL VPN web portal Host Header Redirection

Summary

A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker.


If a web proxy's cache is poisoned with the aforementioned redirection, users of this web proxy may be directed to the attacker's specified websites when trying to access the SSL-VPN web portal.

Impact

Improper Access Control

Affected Products

FortiOS all versions below 6.0.5

Solutions

Upgrade to FortiOS 6.0.5 or 6.2.0


Workarounds:


The risk is low as the attack needs to be combined with other attacks to have an impact.


As a measure of precaution, administrators may want to disable the SSL-VPN web portal service by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Julio Sanchez from SecureAuth Corporation for reporting this vulnerability under responsible disclosure.