FortiOS Remote Access Web Portal – XSS Vulnerability
Monday, November 5th, 2012
Fortinet delivers a comprehensive portfolio of security gateways and complementary products. FortiGate platforms integrate the FortiOSâ„¢ operating system with FortiASICâ„¢ processors and the latest-generation CPUs to provide comprehensive, high-performance security. By using a specially crafted URL in an HTTP request, it is possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies.
Fortinet FortiOS contains a flaw that allows a non-persistent cross-site scripting (XSS) attack. The input passed toÂ redir parameter atÂ http://x.x.x.x/remote/logincheck is not properly sanitized.Â It is possible to inject theÂ redir parameter in a POST request as a data parameter or trough a GET request as a URL parameter.Â This may allow an attacker toÂ execute arbitrary script code in a user’s browser.
As this range of products are used for SSL VPN authentication, this issue can be exploited to mount an attack and potentially gain unauthorised access to the target internal network.
Found and tested on: SSLVPN-FGT200BÂ Remote Access Web Portal, but its known not to be the only one affected.
Proof of Concept:
Figure 1: Example XSS on a SSLVPN-FGT200B
Source Code Result:
The vendor has released an update of FortiOS. VersionÂ FortiOS 4.3.7 fixes this issue.
Discovered: 14/03/2012 (Marco Batista)
Vendor Notified: 18/04/2012