PSIRT Advisory

OpenRedirect in Malicious Generated PDF Document on FortiAnalyzer and FortiManager

Summary

An open redirect vulnerability exists in FortiAnalyzer and FortiManager when a user of the GUI is converting an HTML table to a PDF document via the FortiView feature, due to lack of user input sanitization.

An attacker may be able to social engineer a user of the FortiAnalyzer/FortiManager GUI into generating a PDF file containing malicious URLs.

Impact

Open redirection

Affected Products

FortiAnalyzer 6.0.0 and below.
FortiManager 6.0.0 and below, when the FortiView feature is enabled.

Solutions

FortiAnalyzer: upgrade to 6.0.1 or above.
FortiManager: upgrade to 6.0.1 or above.

Since both FortiAnalyzer and FortiManager already have tokens to block Cross-site Request Forgery (CSRF) attacks, the risk of successful exploitation of this vulnerability is low, and mostly relies on social engineering.

Acknowledgement

Fortinet is pleased to thank Donato Onofri, Luca Napolitano and Francesca Perrone of Business Integration Partners S.p.A. reporting this vulnerability under responsible disclosure.