BackupPC 3.2.0 XSS

I dont normally make posts about XSS exploits unless there is some special circumstances. I picked this one because BackupPC is a popular network backup tool that you might find in networks all over the place and because there is no built in security you normally only find it on “secure” trusted networks.

So anyway the issue is in Browse.pm. It gets a num variable passed to it via get request, then displays the unsanitary input back to the user. So heres PoCs of both the vectors i found.

PoC 1: http://target.server/cgi-bin/BackupPC_Admin?action=browse&host=realhostneeded&num=1[XSS] – comes back as a valid request and runs XSS

PoC 2: http://target.server/cgi-bin/BackupPC_Admin?action=browse&host=realhostneeded&num=[XSS] – comes back as ERROR and runs XSS

Like most XSS holes its a easy fix, just edit line 55 in /usr/local/BackupPC/lib/BackupPC/CGI/Browse.pm to read like so:
my $num = ${EscHTML($In{num})};

or download this Browse.pm file and replace it with the one in /usr/local/BackupPC/lib/BackupPC/CGI/ on the installed server.

Ok thats it, peace.