PSIRT Advisory

FortiOS SSL VPN web portal Host Header Redirection

Summary

A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker.


If a web proxy's cache is poisoned with the aforementioned redirection, users of this web proxy may be directed to the attacker's specified websites when trying to access the SSL-VPN web portal.

Impact

Improper Access Control

Affected Products

FortiOS 5.4.0 to 6.0.4, 5.2.14 and below.

Solutions

Upgrade to FortiOS 5.2.15, 6.0.5 or 6.2.0


Workarounds:


The risk is low as the attack needs to be combined with other attacks to have an impact.


As a measure of precaution, administrators may want to disable the SSL-VPN web portal service by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end


Revision History:
2019-05-17 Initial version
2020-01-03 New fix on 5.2.15 released.

Acknowledgement

Fortinet is pleased to thank Julio Sanchez from SecureAuth Corporation for reporting this vulnerability under responsible disclosure.