FortiWeb Recursive URL Decoding by default disabled causing WAF bypass Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-058 Final 1 1 2018-08-23T00:00:00 Current version 2018-08-23T00:00:00 2018-08-23T00:00:00 FortiWeb's "Recursive URL Decoding" feature can detect URL-based attacks (among which XSS and SQL injection attempts) even when the malicious URL is recursively encoded. However, this feature is not enabled by default in FortiWeb's system settings for FortiWeb version 6.0.0 and below. Execute unauthorized code or commands FortiWeb 6.0.0 and below. Upgrade to FortiWeb 6.0.1 or newer versions or use workaround.WorkaroundFor FortiWeb 6.0.0 and below, manually enabling this feature is recommended.From the FortiWeb GUI, it can be enabled under ystem > Config > Advanced in the "Recursive URL Decoding" (refer to: http://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/advanced_settings.htm for more info).From the FortiWeb CLI, it can be enabled with the following commands:config system advancedset circulate-url-decode enableendUpdate History05-16-2018 Initial version.08-23-2018 Default secure setting supported in 6.0.1 https://fortiguard.fortinet.com/psirt/FG-IR-18-058 FortiWeb Recursive URL Decoding by default disabled causing WAF bypass http://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/advanced_settings.htm http://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/advanced_settings.htm Fortinet is pleased to thank independent security researcher SecuNinja (http://twitter.com/secuninja) for reporting this FortiWeb operational risk under responsible disclosure. FortiWeb 6.0.0 FortiWeb-6.0.0 0 https://fortiguard.fortinet.com/psirt/FG-IR-18-058 FortiWeb Recursive URL Decoding by default disabled causing WAF bypass Reference> http://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/advanced_settings.htm http://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/advanced_settings.htm