Multiple Security Vulnerabilities in Polycom HDX Systems Web Interface


Researched By: WootCloud IOT Threat Labs (WITL) [ ]
Date: June 4th, 2018

Tested Firmware: Polycom HDX Systems 3.1.12 Firmware ( s/release-notes/en/3725-2398a-079a-hdx3.1.12-rel-notes.pdf )

Vulnerable Systems: Polycom HDX 4000 – 9000 system running the firmware 3.1.12 or less.

Issue 1: Cross-site Scripting (XSS) Vulnerability in “Closed Caption” Component

Details: The “Closed Caption” component (a_apicommand.cgi) is prone to XSS vulnerability. The component fails to validate the arbitrary input passed by the user and execute the JavaScript payload in the context of the user. For vulnerability validation, the following payload was used to validate the vulnerability.

  • Payload: “/>”/><h1><a href=”JavaScript:alert(‘Code_Exectution_Via_JavaScript_Injection’)”>Injected Payload</a></h1>

XSS vulnerabilities can be used to execute malicious code or steal session details via an injected JavaScript. Successful execution of the code is shown below:

For more details about the issue, refer: ​

Recommendation: ​It is advised that arbitrary input passed by the user should be sanitized, filtered and validated on the server side.

Issue 2 : Design: HTTP Verb Tampering Allowed by Embedded Web Server

Details: ​The deployed embedded web server in Polycom HDX systems allow HTTP Verb Tampering. The server fails to validate the HTTP requests to specific verbs. It is possible to access the resources by tampering the HTTP verb (Changing HTTP POST to HTTP GET) to ease out the attack surface.

HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods

POC is shown below:

The “​a_importdirectoryascsv.cgi” expects the HTTP POST request to be issued by the browser and expects HTTP parameters “importimage.x”, “importimage.y” and “htmlfile” to be sent in order to download the directory information from the “lighttpd” server.

However, if the HTTP verb is tampered from POST to GET, the web server still accepts the request and dump the directory details in the “​_importdirectoryascsv.cgi” ​as shown below:

Self-signed certificate encountered.

More details about HTTP Verb Tampering, refer here:

Recommendation:​ Make sure HTTP methods are validated and configured securely. More details refer, Verb_Tampering.pdf

This website uses cookies to ensure you get the best experience on our website.