Barix Instreamer Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Barix Instreamer devices running firmware versions 04.05 and 04.06. This vulnerability allows an authenticated administrator to inject arbitrary HTML or JavaScript into the Streaming Destination field under Configuration → Basic Settings. The injected script is permanently stored on the device and executed without proper encoding on the Status page. As a result, any user, including other administrators, who accesses the Status page will trigger the execution of the stored script in their browser, within the context of the Instreamer management interface.

Impact

Exploitation of this vulnerability allows for session hijacking of administrative accounts, theft of admin cookies or credentials, unauthorized configuration changes, and the introduction of persistent backdoors or defacement of the management interface. Additionally, this vulnerability could serve as a stepping stone for further network compromises.

Reproduction

To reproduce this vulnerability, log into the Barix Instreamer web interface as an administrator. Navigate to the Configuration → Basic Settings → Streaming Destination section. In the Streaming Destination field, enter a script payload, such as a JavaScript alert script. After saving the changes, navigate to the Status page. The injected script will execute immediately, demonstrating the cross-site scripting vulnerability. This exploitation can be automated by using a payload that steals cookies, for example.

Remediation

Barix has acknowledged this vulnerability and is preparing a fixed firmware version. Until the patch is released, it is recommended to upgrade to a version newer than 04.06 as soon as it becomes available. Additionally, restrict access to the Instreamer web interface to trusted administrators, monitor the Streaming Destination field for suspicious entries, and consider blocking outbound connections to unknown hosts.