FortiOS Remote Access Web Portal – XSS Vulnerability

imagensecforcepost.png

Overview:

Fortinet delivers a comprehensive portfolio of security gateways and complementary products. FortiGate platforms integrate the FortiOS operating system with FortiASIC processors and the latest-generation CPUs to provide comprehensive, high-performance security. By using a specially crafted URL in an HTTP request, it is possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies.

Description:

Fortinet FortiOS contains a flaw that allows a non-persistent cross-site scripting (XSS) attack. The input passed to a redir parameter at http://x.x.x.x/remote/logincheck is not properly sanitized. It is possible to inject the redir parameter in a POST request as a data parameter or trough a GET request as a URL parameter. This may allow an attacker to execute arbitrary script code in a user’s browser.

As this range of products are used for SSL VPN authentication, this issue can be exploited to mount an attack and potentially gain unauthorised access to the target internal network.

Affected Products:

Found and tested on: SSLVPN-FGT200B  Remote Access Web Portal, but its known not to be the only one affected.

Proof of Concept:

https://x.x.x.x/remote/logincheck?magic=&username=&redir="};alert('XSS');{"&grpid=&code2=&credential2=&code=&just_logged_in=1&reqid=0&cre

fortios1.png

Source Code Result:

<script language = “javascript”> function redir() { top.location=_};alert(XSS);{_; } </script>

Solution

The vendor has released an update of FortiOS. Version FortiOS 4.3.7 fixes this issue.

History

You may also be interested in...

MSBuild-Logger-Code-Execution.png
Aug. 10, 2020

MSBuild logger code execution

Using msbuild to bypass application white-listing Is a well known and documented techique. You simply need to add some C# code to a msbuild task within an msbuild XML project file and msbuild will happily compile and run your code.

See more
CVE-2022-20942
Dec. 13, 2022

CVE-2022-20942: It's not old functionality, it's vintage

Cisco information disclosure vulnerability leveraging supposedly removed legacy functionality

See more