id: CVE-2016-3978

info:
  name: Fortinet FortiOS  - Open Redirect/Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login."
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft.
  remediation: |
    Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability.
  reference:
    - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3978
    - http://seclists.org/fulldisclosure/2016/Mar/68
    - http://www.securitytracker.com/id/1035332
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-3978
    cwe-id: CWE-79
    epss-score: 0.00217
    epss-percentile: 0.59667
    cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortios
  tags: cve2016,cve,redirect,fortinet,fortios,seclists

http:
  - method: GET
    path:
      - '{{BaseURL}}/login?redir=http://www.interact.sh'

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 490a0046304402201e517dd06332c852dc9e8a03d12eb20c9636dfc194690a007024ef333e978dba022062abb7e6dbc6349bc055a6faeffa048a2b20388fd1893538783af9670b6e35e0:922c64590222798bb761d5b6d8e72950