FortiOS SSL VPN web portal Host Header Redirection
A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker.
If a web proxy's cache is poisoned with the aforementioned redirection, users of this web proxy may be directed to the attacker's specified websites when trying to access the SSL-VPN web portal.
FortiOS 5.4.0 to 6.0.4, 5.6.12, 5.2.14 and below.
Upgrade to FortiOS 5.2.15, 5.6.13, 6.0.5 or 6.2.0
The risk is low as the attack needs to be combined with other attacks to have an impact.
As a measure of precaution, administrators may want to disable the SSL-VPN web portal service by applying the following CLI commands:
config vpn ssl settings
2019-05-17 Initial version
2020-01-03 New fix on 5.2.15 released.
Fortinet is pleased to thank Julio Sanchez from SecureAuth Corporation for reporting this vulnerability under responsible disclosure.