CVE-2021-36191 in FortiWeb
Summary
by MITRE • 12/08/2021
A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/02/2025
The vulnerability identified as CVE-2021-36191 represents a critical open redirect flaw within Fortinet FortiWeb web application firewalls running versions 6.4.1 and earlier, as well as 6.3.15 and earlier. This security weakness resides in the error handling mechanisms of the FortiWeb appliance, specifically in how it processes crafted GET parameters that trigger error responses. The vulnerability stems from insufficient input validation and sanitization of URL parameters within the device's error handler components, allowing malicious actors to manipulate the redirection behavior during error conditions.
The technical implementation of this vulnerability involves the manipulation of HTTP GET request parameters that are processed by FortiWeb's error handling subsystem. When the device encounters an error condition, it typically displays a custom error page that may contain user-supplied URL parameters in the redirect logic. Attackers can exploit this by crafting specific GET parameters that contain malicious URLs, which are then processed and executed as redirects within the error handler context. This creates a scenario where the vulnerable FortiWeb device acts as an intermediary proxy, potentially facilitating further attacks or bypassing security controls.
The operational impact of this vulnerability extends beyond simple redirection, as it enables attackers to leverage the FortiWeb appliance as a proxy server for malicious activities. This capability allows threat actors to use the device's network position to forward requests to internal systems or external malicious servers, potentially bypassing network segmentation controls. The vulnerability can be particularly dangerous in environments where FortiWeb serves as a primary security gateway, as it undermines the device's ability to protect against malicious traffic. The attack surface includes not only direct exploitation but also potential use in phishing campaigns, where the vulnerable device could be used to redirect users to malicious sites while appearing to originate from a trusted source.
From a cybersecurity perspective, this vulnerability aligns with CWE-601 Open Redirect vulnerability classification and maps to several ATT&CK techniques including T1566.001 Phishing and T1071.004 Application Layer Protocol. The flaw demonstrates a classic example of insufficient validation of user inputs, which is a fundamental security principle that should be enforced at all levels of application processing. Organizations utilizing vulnerable FortiWeb versions face significant risk of being used as attack vectors, particularly in environments where the device is configured to handle sensitive traffic or where internal network access is restricted. The vulnerability's exploitation does not require authentication and can be performed through simple HTTP requests, making it highly accessible to attackers. Mitigation strategies should include immediate patching of affected FortiWeb appliances, implementation of network-level restrictions to prevent unauthorized access to error handling endpoints, and monitoring for suspicious redirect patterns in logs. Additionally, organizations should review their FortiWeb configurations to ensure that error handling does not inadvertently expose redirect functionality that could be exploited by malicious actors.