Blog Single FullWidth | Enar
SECURITY ADVISORY- HTTP HOST HEADER ATTACKS AGAINST WEB PROXY DISCLAIMER RESPONSE WEBPAGE
February 15, 2015
Summary
The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted Host headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position (i.e. able to modify the HTTP requests of the potential victim before they reach the web proxy), or poisons a web cache used by the potential victim.

In the latter attack scenario, the tainted disclaimer web page being cached, the XSS attack can be considered as persistent.

Impact
Persistent Cross-site Scripting (XSS)

Affected Products
FortiOS 5.6.0 to 5.6.2
FortiOS 5.4.0 to 5.4.7
FortiOS 5.2 and lower versions.

Solutions
FortiOS 5.6 branch: Upgrade to 5.6.3
FortiOS 5.4 branch: Upgrade to 5.4.8
FortiOS 5.2 and lower versions: Upgrade to branch 5.4 or above, or resort to Workarounds below.

Workarounds
In System->Replacement Messages->Web-proxy->Web-proxy HTTP Error Page, remove the following default message content:
URL: %%PROTOCOL%%://%%URL%%

Acknowledgement
Fortinet is pleased to thank Dhiraj Shrikant Datar, Paramount Computer Systems FZ LLC for reporting this vulnerability under responsible disclosure.