what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FortiGate SSL VPN Portal 5.x Cross Site Scripting

FortiGate SSL VPN Portal 5.x Cross Site Scripting
Posted Dec 4, 2017
Authored by Stefan Viehboeck | Site sec-consult.com

FortiGate SSL VPN Portal versions 5.6.2 and below, 5.4.6 and below, 5.2.12 and below, and 5.0 and below suffer from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2017-14186
SHA-256 | b2d5f1ba485a9729c93cfe8c29db752eb3863fb1cf9c67796c558e28b07dd9e9

FortiGate SSL VPN Portal 5.x Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20171129-0 >
=======================================================================
title: FortiGate SSL VPN Portal XSS Vulnerability
product: Fortinet FortiOS
vulnerable version: see: Vulnerable / tested versions
fixed version: see: Solution
CVE number: CVE-2017-14186
impact: Medium
homepage: https://www.fortinet.com
found: 2017-10-02
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."

Source: https://www.fortinet.com/corporate/about-us/about-us.html


Vulnerability overview/description:
-----------------------------------
The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS)
vulnerability. The HTTP GET parameter "redir" is vulnerable.
An attacker can exploit this vulnerability by tricking a victim to visit a URL.
The attacker is able to hijack the session of the attacked user, and use this
vulnerability in the course of spear-phishing attacks, e.g. by displaying a
login prompt that sends credentials of victim back to the attacker.

Note: This vulnerability is also an open redirect and is very similar to a
vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004).
https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability


Proof of concept:
-----------------
The following request exploits the issue:
https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location)


The server responds with a page that looks as follows:
---------------------------------------------------------------------------------------------------
<html><head>
<script language="javascript">
document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29");
</script>
</head></html>
---------------------------------------------------------------------------------------------------


Vulnerable / tested versions:
-----------------------------
FortiOS 5.6.0 -> 5.6.2
FortiOS 5.4.0 -> 5.4.6
FortiOS 5.2.0 -> 5.2.12
FortiOS 5.0 and below

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Vendor contact timeline:
------------------------
2017-10-02: Contacting vendor through psirt@fortinet.com
2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in
version 5.6.3
2017-11-23: Vendor provides update
2017-11-29: Coordinated public release of advisory


Solution:
---------
FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th)
FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec
7th)
FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA:
Dec 14th)

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Workaround:
-----------
Not available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2017


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close