PSIRT Advisory

FortiGate SSL VPN web portal login redir XSS vulnerability

Summary

A Cross-site Scripting (XSS) vulnerability in FortiOS SSL-VPN web portal may allow a remote user to inject arbitrary web  code or HTML in the context of the victim's browser via  the login redir parameter.


An URL Redirection Attack may also enable a remote user to redirect the victim to an arbitrary URL, via the redir parameter.


Note that the SSL-VPN web portal feature is not enabled by default in FortiOS.

Impact

Cross-site Scripting (XSS), URL Redirection Attack

Affected Products

The following versions are affected:

FortiOS 5.6.0 -> 5.6.2
FortiOS 5.4.0 -> 5.4.6
FortiOS 5.2.0 -> 5.2.12
FortiOS 5.0 and below

Solutions

FortiOS 5.6 branch: Upgrade to 5.6.3

FortiOS 5.4 branch: Upgrade to 5.4.7

FortiOS 5.2 branch: Upgrade to 5.2.13


Workarounds


For workaround on the unfixed versions, if the SSL-VPN web portal feature was enabled, disable the SSL-VPN web portal service by applying the following CLI commands:


For FortiOS 5.0 and below branches:

config vpn ssl settings

set sslvpn-enable disable

end


For FortiOS 5.2, 5.4 and 5.6 branches:

config vpn ssl settings

unset source-interface

end


Revision


2017-11-23 Initial version

2018-05-15 Clarify the workaround applied versions

2018-09-06 Correct the exploit condition and risk level

Acknowledgement

Fortinet is pleased to thank Stefan Viehböck from SEC Consult Vulnerability Lab for reporting this vulnerability under responsible disclosure. Fortinet also thank Dan Taler from Content Security Pty Ltd for correct the incident description and risk level.