Fortinet FortiOS Open Redirect / Cross Site Scripting

`Description  
===================================================================  
The FortiOS webui accepts a user-controlled input that specifies a link to  
an external site, and uses that link in a redirect.  
  
The redirect input parameter is also prone to a cross site scripting.  
  
Public Fortinet Security Advisory (Mar 16 2016):  
http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability  
  
PoC  
===================================================================  
The parameter "redir" in the Fortiweb web login portal is vulnerable to  
Open Redirect and Cross Site Scripting  
  
1. Open Redirect  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
http[s]://fortigate-management-ip-address/login?redir=http[:]//evil-site  
  
2. Cross Site Scripting  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
http[s]://fortigate-management-ip-address/login?redir=javascript:alert(document.cookie)  
  
Solution  
===================================================================  
Upgrade to one the following FortiOS versions:  
* 5.0 branch: 5.0.13 or above  
* 5.2 branch: 5.2.3 or above  
* 5.4 branch: 5.4.0 or above  
  
*** 4.3 and lower branches are not affected by this vulnerability.  
  
Authors:  
===================================================================  
Javier Nieto - @BehindFirewalls  
http://www.behindthefirewalls.com  
  
  
`