HTTP Host header attacks against web proxy disclaimer response webpage
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-262
Final
1
1
2018-01-22T00:00:00
Current version
2018-01-22T00:00:00
2018-01-22T00:00:00
The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted "Host" headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position (i.e. able to modify the HTTP requests of the potential victim before they reach the web proxy), or poisons a web cache used by the potential victim.In the latter attack scenario, the tainted disclaimer web page being cached, the XSS attack can be considered as persistent.
Persistent Cross-site Scripting (XSS)
FortiOS 5.6.0 to 5.6.2FortiOS 5.4.0 to 5.4.7FortiOS 5.2 and lower versions.
FortiOS 5.6 branch: Upgrade to 5.6.3 FortiOS 5.4 branch: Upgrade to 5.4.8 FortiOS 5.2 and lower versions: Upgrade to branch 5.4 or above, or resort to Workarounds below. Workarounds: In System->Replacement Messages->Web-proxy->"Web-proxy HTTP Error Page", remove the following default message content: URL: %%PROTOCOL%%://%%URL%%
Fortinet is pleased to thank "Dhiraj Shrikant Datar, Paramount Computer Systems FZ LLC" for reporting this vulnerability under responsible disclosure.
FortiOS 5.6.2
FortiOS 5.6.1
FortiOS 5.6.0
FortiOS 5.4.7
FortiOS 5.4.6
FortiOS 5.4.5
FortiOS 5.4.4
FortiOS 5.4.3
FortiOS 5.4.2
FortiOS 5.4.1
FortiOS 5.4.0
FortiOS 5.2.15
FortiOS 5.2.14
FortiOS 5.2.13
FortiOS 5.2.12
FortiOS 5.2.11
FortiOS 5.2.10
FortiOS 5.2.9
FortiOS 5.2.8
FortiOS 5.2.7
FortiOS 5.2.6
FortiOS 5.2.5
FortiOS 5.2.4
FortiOS 5.2.3
FortiOS 5.2.2
FortiOS 5.2.1
FortiOS 5.2.0
HTTP Host header attacks against web proxy disclaimer response webpage
CVE-2017-14190
FortiOS-5.6.2
FortiOS-5.6.1
FortiOS-5.6.0
FortiOS-5.4.7
FortiOS-5.4.6
FortiOS-5.4.5
FortiOS-5.4.4
FortiOS-5.4.3
FortiOS-5.4.2
FortiOS-5.4.1
FortiOS-5.4.0
FortiOS-5.2.15
FortiOS-5.2.14
FortiOS-5.2.13
FortiOS-5.2.12
FortiOS-5.2.11
FortiOS-5.2.10
FortiOS-5.2.9
FortiOS-5.2.8
FortiOS-5.2.7
FortiOS-5.2.6
FortiOS-5.2.5
FortiOS-5.2.4
FortiOS-5.2.3
FortiOS-5.2.2
FortiOS-5.2.1
FortiOS-5.2.0
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-17-262
HTTP Host header attacks against web proxy disclaimer response webpage
Reference>