FortiOS Remote Access Web Portal – XSS Vulnerability

imagensecforcepost.png

Overview:

Fortinet delivers a comprehensive portfolio of security gateways and complementary products. FortiGate platforms integrate the FortiOS operating system with FortiASIC processors and the latest-generation CPUs to provide comprehensive, high-performance security. By using a specially crafted URL in an HTTP request, it is possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies.

Description:

Fortinet FortiOS contains a flaw that allows a non-persistent cross-site scripting (XSS) attack. The input passed to a redir parameter at http://x.x.x.x/remote/logincheck is not properly sanitized. It is possible to inject the redir parameter in a POST request as a data parameter or trough a GET request as a URL parameter. This may allow an attacker to execute arbitrary script code in a user’s browser.

As this range of products are used for SSL VPN authentication, this issue can be exploited to mount an attack and potentially gain unauthorised access to the target internal network.

Affected Products:

Found and tested on: SSLVPN-FGT200B  Remote Access Web Portal, but its known not to be the only one affected.

Proof of Concept:

https://x.x.x.x/remote/logincheck?magic=&username=&redir="};alert('XSS');{"&grpid=&code2=&credential2=&code=&just_logged_in=1&reqid=0&cre

fortios1.png

Source Code Result:

<script language = “javascript”> function redir() { top.location=_};alert(XSS);{_; } </script>

Solution

The vendor has released an update of FortiOS. Version FortiOS 4.3.7 fixes this issue.

History

You may also be interested in...

imagensecforcepost.png
Oct. 13, 2019

NetScaler EPA Bypass Burp plugin

This Burp plugin is a fork of the aforementioned code that will listen for “Pre-Authentication Endpoint Analysis” requests and reply to the server that these were passed.

See more
Nimwhispers_Blog_Post_image
Jan. 17, 2022

NimWhispers - direct system calls

This article will present a new tool called NimWhispers based on the work of SysWhispers2 for using syscalls in the Nim programming language.

See more