Injection Vulnerabilities in Polycom HDX Systems Web Interface

Overview

Researched By: ​WootCloud IOT Threat Labs (WITL)

Tested Firmware:​ Polycom HDX Systems 3.1.12 Firmware
(​https://support.polycom.com/content/dam/polycom-support/products/telepresence-and-video/hdx-serie s/release-notes/en/3725-2398a-079a-hdx3.1.12-rel-notes.pdf​ )

Vulnerable Systems:​ Polycom HDX 4000 – 9000 system running the firmware 3.1.12 or less.
Issue : Cross-site Scripting (XSS) Vulnerability in “Remote Access Settings” Component

Details: ​The HTTP parameter “​Failed&message=” component in “​remoteaccesssettings.htm” component is prone to XSS vulnerability. The component fails to validate the arbitrary input passed by the user and execute the JavaScript payload in the context of the user. For vulnerability validation, the following payload was used to validate the vulnerability.

  • Payload:​ ​’;–“/>”/><h1><iframe src=”JavaScript:alert(/Injected_via_Iframe/)”></iframe><br/><br/><a href=”JavaScript:alert(document.cookie);”>[INJECTED PAYLOAD]</a></h1>
  • URL: https://[ploycom_hdx_system]/a_remoteaccesssettings.htm?FAILED&message=’;–“/>” /><h1><iframe src=”JavaScript:alert(/Injected_via_Iframe/)”></iframe><br/><br/><a href=”JavaScript:alert(document.cookie);”>[INJECTED PAYLOAD]</a></h1>

XSS vulnerabilities can be used to execute malicious code or steal session details via an injected JavaScript. Successful execution of the code is shown below:

For more details about the issue, refer: ​https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Recommendation: ​It is advised that arbitrary input passed by the user should be sanitized, filtered and validated on the server side.

This website uses cookies to ensure you get the best experience on our website.