Information disclosure in web proxy error pages


A server-generated error message containing sensitive information vulnerability [CWE-550] in FortiOS and FortiProxy web proxy may allow a malicious webserver to retrieve a web proxy's client username and IP via same origin HTTP requests triggering proxy-generated HTTP status codes pages.

Version Affected Solution
FortiOS 7.2 Not affected Not Applicable
FortiOS 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above
FortiOS 6.4 6.4.0 through 6.4.9 Upgrade to 6.4.10 or above
FortiOS 6.2 6.2.0 through 6.2.10 Upgrade to 6.2.11 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release
FortiProxy 7.0 7.0.0 through 7.0.1 Upgrade to 7.0.2 or above
FortiProxy 2.0 2.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at:


Fortinet is pleased to thank Tom Tervoort from Secura for bringing this issue to our attention under responsible disclosure.