PSIRT Advisory

FortiOS SSL VPN webportal user credentials present in plain text in client side javascript file

Summary

An information disclosure vulnerability exists in the SSL-VPN web portal of FortiOS: when pages bookmarked in the web portal use the Single sign-on (SSO) feature, the user's webportal's login and password are included in a javascript file sent client-side.
The leaked credential may potentially be captured by an attacker if additional session handling, access control or cross-site scripting vulnerabilities were to be discovered in the SSL-VPN web portal, or in the applications within (or in case of client-side vulnerabilities, in the user's browser).

Impact

Information Disclosure

Affected Products

FortiOS 6.0.0 and below versions

Solutions

Upgrade to FortiOS 6.0.1 or newer versions

Workaround

Avoid using the SSO feature in FortiOS SSL VPN bookmarks, especially if the applications inside the SSL VPN web portal are untrusted.

Acknowledgement

Fortinet is pleased to thank Stephan Neidhardt - link protect GmbH reporting this vulnerability under responsible disclosure.