FortiOS Remote Access Web Portal – XSS Vulnerability

imagensecforcepost.png

Overview:

Fortinet delivers a comprehensive portfolio of security gateways and complementary products. FortiGate platforms integrate the FortiOS operating system with FortiASIC processors and the latest-generation CPUs to provide comprehensive, high-performance security. By using a specially crafted URL in an HTTP request, it is possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies.

Description:

Fortinet FortiOS contains a flaw that allows a non-persistent cross-site scripting (XSS) attack. The input passed to a redir parameter at http://x.x.x.x/remote/logincheck is not properly sanitized. It is possible to inject the redir parameter in a POST request as a data parameter or trough a GET request as a URL parameter. This may allow an attacker to execute arbitrary script code in a user’s browser.

As this range of products are used for SSL VPN authentication, this issue can be exploited to mount an attack and potentially gain unauthorised access to the target internal network.

Affected Products:

Found and tested on: SSLVPN-FGT200B  Remote Access Web Portal, but its known not to be the only one affected.

Proof of Concept:

https://x.x.x.x/remote/logincheck?magic=&username=&redir="};alert('XSS');{"&grpid=&code2=&credential2=&code=&just_logged_in=1&reqid=0&cre

fortios1.png

Source Code Result:

<script language = “javascript”> function redir() { top.location=_};alert(XSS);{_; } </script>

Solution

The vendor has released an update of FortiOS. Version FortiOS 4.3.7 fixes this issue.

History

You may also be interested in...

imagensecforcepost.png
Dec. 5, 2012

Bring your own device (BYOD) security challenges

BYOD is a business policy which encourages employees to bring their personal devices (laptops, tablets, mobile phones) to the corporate environment and perform business tasks with them.

See more
SharpWhispersLogo
May 24, 2022

SharpASM / SharpWhispers

Stealthier code execution and direct system calls

See more