HTTP Host header attacks against web proxy disclaimer response webpage Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-262 Final 1 1 2018-01-22T00:00:00 Current version 2018-01-22T00:00:00 2018-01-22T00:00:00 The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted "Host" headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position (i.e. able to modify the HTTP requests of the potential victim before they reach the web proxy), or poisons a web cache used by the potential victim.In the latter attack scenario, the tainted disclaimer web page being cached, the XSS attack can be considered as persistent. Execute unauthorized code or commands FortiOS 5.6.0 to 5.6.2FortiOS 5.4.0 to 5.4.7FortiOS 5.2 and lower versions. FortiOS 5.6 branch: Upgrade to 5.6.3FortiOS 5.4 branch: Upgrade to 5.4.8FortiOS 5.2 and lower versions: Upgrade to branch 5.4 or above, or resort to Workarounds below.Workarounds:In System->Replacement Messages->Web-proxy->"Web-proxy HTTP Error Page", remove the following default message content: URL: %%PROTOCOL%%://%%URL%% Fortinet is pleased to thank "Dhiraj Shrikant Datar, Paramount Computer Systems FZ LLC" for reporting this vulnerability under responsible disclosure. CVE-2017-14190 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-262 HTTP Host header attacks against web proxy disclaimer response webpage Reference>