From full-disclosure  Thu Aug 20 12:37:08 2015
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: Thu, 20 Aug 2015 12:37:08 +0000
To: full-disclosure
Subject: [FD] UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
Message-Id: <55D5C9F4.5010501 () vulnerability-lab ! com>
X-MARC-Message: https://marc.info/?l=full-disclosure&m=144007441403956

RG9jdW1lbnQgVGl0bGU6Cj09PT09PT09PT09PT09PQpVQk5UIEJ1ZyBCb3VudHkgIzEgLSBDbGll
bnQgU2lkZSBDcm9zcyBTaXRlIFNjcmlwdGluZyBWdWxuZXJhYmlsaXR5CgoKUmVmZXJlbmNlcyAo
U291cmNlKToKPT09PT09PT09PT09PT09PT09PT0KaHR0cDovL3d3dy52dWxuZXJhYmlsaXR5LWxh
Yi5jb20vZ2V0X2NvbnRlbnQucGhwP2lkPTE0NjUKCiM1Mjk4OAoKClJlbGVhc2UgRGF0ZToKPT09
PT09PT09PT09PQoyMDE1LTA4LTE3CgoKVnVsbmVyYWJpbGl0eSBMYWJvcmF0b3J5IElEIChWTC1J
RCk6Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoxNDY1CgoKQ29tbW9uIFZ1
bG5lcmFiaWxpdHkgU2NvcmluZyBTeXN0ZW06Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PQoyLjgKCgpQcm9kdWN0ICYgU2VydmljZSBJbnRyb2R1Y3Rpb246Cj09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT0KVWJpcXVpdGkgTmV0d29ya3MgaXMgYW4gQW1lcmljYW4gdGVj
aG5vbG9neSBjb21wYW55IHN0YXJ0ZWQgaW4gMjAwNS4gQmFzZWQgaW4gU2FuIEpvc2UsIENhbGlm
b3JuaWEgdGhleSBhcmUgYSBtYW51ZmFjdHVyZXIgb2YgCndpcmVsZXNzIHByb2R1Y3RzIHdob3Nl
IHByaW1hcnkgZm9jdXMgaXMgb24gdW5kZXItc2VydmVkIGFuZCBlbWVyZ2luZyBtYXJrZXRzLgoK
KENvcHkgb2YgdGhlIEhvbWVwYWdlOiBodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1ViaXF1
aXRpX05ldHdvcmtzICkKCgpBYnN0cmFjdCBBZHZpc29yeSBJbmZvcm1hdGlvbjoKPT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09ClRoZSBWdWxuZXJhYmlsaXR5IExhYm9yYXRvcnkgUmVzZWFy
Y2ggVGVhbSBkaXNjb3ZlcmVkIGEgY2xpZW50LXNpZGUgY3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgd2Vi
IHZ1bG5lcmFiaWxpdHkgaW4gdGhlIG9mZmljaWFsIFVibnQgb25saW5lIHNlcnZpY2Ugd2ViLWFw
cGxpY2F0aW9uLgoKClZ1bG5lcmFiaWxpdHkgRGlzY2xvc3VyZSBUaW1lbGluZToKPT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PQoyMDE1LTAzLTE3OiBSZXNlYXJjaGVyIE5vdGlmaWNh
dGlvbiAmIENvb3JkaW5hdGlvbiAoSGFkamkgU2FtaXIpCjIwMTUtMDMtMTg6IFZlbmRvciBOb3Rp
ZmljYXRpb24gKFVibnQgU2VjdXJpdHkgVGVhbSAtIEJ1ZyBCb3VudHkgUHJvZ3JhbSkKMjAxNS0w
NC0wMzogVmVuZG9yIFJlc3BvbnNlL0ZlZWRiYWNrIChVYm50IFNlY3VyaXR5IFRlYW0gLSBCdWcg
Qm91bnR5IFByb2dyYW0pCjIwMTUtMDctMjQ6IFZlbmRvciBGaXgvUGF0Y2ggKFVibnQgRGV2ZWxv
cGVyIFRlYW0pCjIwMTUtMDgtMTI6IEJ1ZyBCb3VudHkgUmV3YXJkIChVYm50IFNlY3VyaXR5IFRl
YW0gLSBCdWcgQm91bnR5IFByb2dyYW0pCjIwMTUtMDgtMTc6IFB1YmxpYyBEaXNjbG9zdXJlIChW
dWxuZXJhYmlsaXR5IExhYm9yYXRvcnkpCgoKRGlzY292ZXJ5IFN0YXR1czoKPT09PT09PT09PT09
PT09PT0KUHVibGlzaGVkCgoKQWZmZWN0ZWQgUHJvZHVjdChzKToKPT09PT09PT09PT09PT09PT09
PT0KVWJpcXVpdGkgTmV0d29yawpQcm9kdWN0OiBVYm50IFN0b3JlIC0gV2ViIEFwcGxpY2F0aW9u
IChPbmxpbmUtU2VydmljZSkgMjAxNSBRMgoKCkV4cGxvaXRhdGlvbiBUZWNobmlxdWU6Cj09PT09
PT09PT09PT09PT09PT09PT09ClJlbW90ZQoKClNldmVyaXR5IExldmVsOgo9PT09PT09PT09PT09
PT0KTWVkaXVtCgoKVGVjaG5pY2FsIERldGFpbHMgJiBEZXNjcmlwdGlvbjoKPT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT0KQSBub24gcGVyc2lzdGVudCBjcm9zcyBzaXRlIHNjcmlwdGlu
ZyB3ZWIgdnVsbmVyYWJpbGl0eSBoYXMgYmVlbiBkaXNjb3ZlcmVkIGluIHRoZSBvZmZpY2lhbCBD
aXNjbyBOZXdzcm9vbSBvbmxpbmUgc2VydmljZSB3ZWItYXBwbGljYXRpb24uClRoZSB2dWxuZXJh
YmlsaXR5IGFsbG93cyByZW1vdGUgYXR0YWNrZXJzIHRvIGhpamFjayB3ZWJzaXRlIGN1c3RvbWVy
LCBtb2RlcmF0b3Igb3IgYWRtaW4gc2Vzc2lvbnMgZGF0YSBieSBjbGllbnQtc2lkZSBtYW5pcHVs
YXRlZCBjcm9zcyBzaXRlIHJlcXVlc3RzLgoKVGhlIHZ1bG5lcmFiaWxpdHkgaXMgbG9jYXRlZCBp
biB0aGUgYGJyaWRnZW5hbWVgIHZhbHVlIG9mIHRoZSBzdG9yZS51Ym50LmNvbS9za2luL2FkbWlu
aHRtbC9kZWZhdWx0L2RlZmF1bHQvbWVkaWEvIHNlcnZpY2UgbW9kdWxlLiBUaGUgaW5qZWN0aW9u
IHBvaW50IApvZiB0aGUgaXNzdWUgaXMgdGhlIHZ1bG5lcmFibGUgdXBsb2FkZXIuc3dmIGZpbGUu
IFJlbW90ZSBhdHRhY2tlcnMgYXJlIGFibGUgdG8gaW5qZWN0IG93biBzY3JpcHQgY29kZXMgdG8g
dGhlIHZ1bG5lcmFibGUgR0VUIG1ldGhvZCByZXF1ZXN0IG9mIHRoZSAKdXBsb2FkZXIuc3dmIG1v
ZHVsZS4gIFRoZSBhdHRhY2sgdmVjdG9yIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGlzIGxvY2F0ZWQg
b24gdGhlIGNsaWVudC1zaWRlIG9mIHRoZSB1Ym50IHN0b3JlIHdlYi1hcHBsaWNhdGlvbi4gVGhl
IHJlcXVlc3QgbWV0aG9kIHRvIAppbmplY3QgdGhlIHNjcmlwdCBjb2RlIHRvIHRoZSBjbGllbnQt
c2lkZSBpcyBgR0VUYC4gVGhlIGV4ZWN1dGlvbiBvZiB0aGUgc2NyaXB0IGNvZGUgb2NjdXJzIGlu
IHRoZSBzYW1lIHN3ZiBmaWxlcyBjb250ZXh0LgoKVGhlIHNlY3VyaXR5IHJpc2sgb2YgdGhlIG5v
bi1wZXJzaXN0ZW50IGlucHV0IHZhbGlkYXRpb24gd2ViIHZ1bG5lcmFiaWxpdHkgaXMgZXN0aW1h
dGVkIGFzIG1lZGl1bSB3aXRoIGEgY3ZzcyAoY29tbW9uIHZ1bG5lcmFiaWxpdHkgc2NvcmluZyBz
eXN0ZW0pIGNvdW50IG9mIDIuOC4KRXhwbG9pdGF0aW9uIG9mIHRoZSBjbGllbnQtc2lkZSBjcm9z
cyBzaXRlIHNjcmlwdGluZyB3ZWIgdnVsbmVyYWJpbGl0eSByZXF1aXJlcyBsb3cgdXNlciBpbnRl
cmFjdGlvbiAoY2xpY2spIGFuZCBubyBwcml2aWxlZ2VkIGFwcGxpY2F0aW9uIHVzZXIgYWNjb3Vu
dC4gClN1Y2Nlc3NmdWwgZXhwbG9pdGF0aW9uIHJlc3VsdHMgaW4gY2xpZW50LXNpZGUgYWNjb3Vu
dCB0aGVmdCBieSBoaWphY2tpbmcsIGNsaWVudC1zaWRlIHBoaXNoaW5nLCBjbGllbnQtc2lkZSBl
eHRlcm5hbCByZWRpcmVjdHMgYW5kIG5vbi1wZXJzaXN0ZW50IG1hbmlwdWxhdGlvbiAKb2YgYWZm
ZWN0ZWQgb3IgY29ubmVjdGVkIHNlcnZpY2UgbW9kdWxlcy4KClJlcXVlc3QgTWV0aG9kKHMpOgoJ
CQkJCQlbK10gR0VUCgpWdWxuZXJhYmxlIFNlcnZpY2Uocyk6CgkJCQkJCVsrXSBVYm50IFN0b3Jl
IC0gKHN0b3JlLnVibnQuY29tL3NraW4vYWRtaW5odG1sL2RlZmF1bHQvZGVmYXVsdC9tZWRpYS8p
CgpWdWxuZXJhYmxlIE1vZHVsZShzKToKCQkJCQkJWytdIHVwbG9hZGVyLnN3ZgoKVnVsbmVyYWJs
ZSBQYXJhbWV0ZXIocyk6CgkJCQkJCVsrXSBicmlkZ2VOYW1lCgoKUHJvb2Ygb2YgQ29uY2VwdCAo
UG9DKToKPT09PT09PT09PT09PT09PT09PT09PT0KVGhlIHJlbW90ZSBjcm9zcyBzaXRlIHZ1bG5l
cmFiaWxpdHkgaW4gdGhlIHN3ZiBmaWxlIGNhbiBiZSBleHBsb2l0ZWQgYnkgcmVtb3RlIGF0dGFj
a2VycyB3aXRob3V0IHByaXZpbGVnZWQgYXBwbGljYXRpb24gdXNlciBhY2NvdW50IGFuZCB3aXRo
IGxvdyBvciBtZWRpdW0gdXNlciBpbnRlcmFjdGlvbi4KRm9yIHNlY3VyaXR5IGRlbW9uc3RyYXRp
b24gb3IgdG8gcmVwcm9kdWNlIHRoZSB2dWxuZXJhYmlsaXR5IGZvbGxvdyB0aGUgcHJvdmlkZWQg
aW5mb3JtYXRpb24gYW5kIHN0ZXBzIGJlbG93IHRvIGNvbnRpbnVlLgoKUG9DOiBFeGFtcGxlCnN0
cmluZyBhdHRhY2sgdXBsb2FkZXIuc3dmP2JyaWRnZU5hbWU9MWBgXSkpO31jYXRjaChzKXthbGVy
dCgnaGFkamlzYW1pcicpfS8vCgpQb0M6IFBheWxvYWQKaHR0cHM6Ly9zdG9yZS51Ym50LmNvbS9z
a2luL2FkbWluaHRtbC9kZWZhdWx0L2RlZmF1bHQvbWVkaWEvdXBsb2FkZXIuc3dmP2JyaWRnZU5h
bWU9MWBgXSkpO31jYXRjaChzKXthbGVydCgnaGFkamlzYW1pcicpfS8vSGFkamkgU2FtaXIKClJl
ZmVyZW5jZShzKToKaHR0cDovL3N0b3JlLnVibnQuY29tLyBpbiB0aGUgKHVwbG9hZGVyLnN3ZikK
aHR0cDovL3N0b3JlLnVibnQuY29tL3NraW4vYWRtaW5odG1sL2RlZmF1bHQvZGVmYXVsdC9tZWRp
YS91cGxvYWRlci5zd2Y/CgoKU29sdXRpb24gLSBGaXggJiBQYXRjaDoKPT09PT09PT09PT09PT09
PT09PT09PT0KRW5jb2RlIHRoZSBicmlkZ2VOYW1lIHZhbHVlIGluIHRoZSB1cGxvYWRlZCBzd2Yg
ZmlsZXMgdG8gcHJldmVudCBjbGllbnQtc2lkZSBzY3JpcHQgY29kZSBpbmplY3Rpb24gYXR0YWNr
cyBvciBjcm9zcyBzaXRlIHNjcmlwdGluZy4KCgpTZWN1cml0eSBSaXNrOgo9PT09PT09PT09PT09
PQpUaGUgc2VjdXJpdHkgcmlzayBvZiB0aGUgY2xpZW50LXNpZGUgY3Jvc3Mgc2l0ZSBzY3JpcHRp
bmcgd2ViIHZ1bG5lcmFiaWxpdGllcyBpbiB0aGUgc3dmIGZpbGUgaXMgZXN0aW1hdGVkIGFzIG1l
ZGl1bS4gKENWU1MgMi44KQoKCkNyZWRpdHMgJiBBdXRob3JzOgo9PT09PT09PT09PT09PT09PT0K
VnVsbmVyYWJpbGl0eSBMYWJvcmF0b3J5IFtSZXNlYXJjaCBUZWFtXSAtIEhhZGppIFNhbWlyIFtz
YW1pckBldm9sdXRpb24tc2VjLmNvbV0KCgpEaXNjbGFpbWVyICYgSW5mb3JtYXRpb246Cj09PT09
PT09PT09PT09PT09PT09PT09PT0KVGhlIGluZm9ybWF0aW9uIHByb3ZpZGVkIGluIHRoaXMgYWR2
aXNvcnkgaXMgcHJvdmlkZWQgYXMgaXQgaXMgd2l0aG91dCBhbnkgd2FycmFudHkuIFZ1bG5lcmFi
aWxpdHkgTGFiIGRpc2NsYWltcyBhbGwgd2FycmFudGllcywgZWl0aGVyIGV4cHJlc3NlZCAKb3Ig
aW1wbGllZCwgaW5jbHVkaW5nIHRoZSB3YXJyYW50aWVzIG9mIG1lcmNoYW50YWJpbGl0eSBhbmQg
Y2FwYWJpbGl0eSBmb3IgYSBwYXJ0aWN1bGFyIHB1cnBvc2UuIFZ1bG5lcmFiaWxpdHktTGFiIG9y
IGl0cyBzdXBwbGllcnMgYXJlIG5vdCBsaWFibGUgCmluIGFueSBjYXNlIG9mIGRhbWFnZSwgaW5j
bHVkaW5nIGRpcmVjdCwgaW5kaXJlY3QsIGluY2lkZW50YWwsIGNvbnNlcXVlbnRpYWwgbG9zcyBv
ZiBidXNpbmVzcyBwcm9maXRzIG9yIHNwZWNpYWwgZGFtYWdlcywgZXZlbiBpZiBWdWxuZXJhYmls
aXR5LUxhYiAKb3IgaXRzIHN1cHBsaWVycyBoYXZlIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2li
aWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLiBTb21lIHN0YXRlcyBkbyBub3QgYWxsb3cgdGhlIGV4Y2x1
c2lvbiBvciBsaW1pdGF0aW9uIG9mIGxpYWJpbGl0eSBmb3IgCmNvbnNlcXVlbnRpYWwgb3IgaW5j
aWRlbnRhbCBkYW1hZ2VzIHNvIHRoZSBmb3JlZ29pbmcgbGltaXRhdGlvbiBtYXkgbm90IGFwcGx5
LiBXZSBkbyBub3QgYXBwcm92ZSBvciBlbmNvdXJhZ2UgYW55Ym9keSB0byBicmVhayBhbnkgdmVu
ZG9yIGxpY2Vuc2VzLCAKcG9saWNpZXMsIGRlZmFjZSB3ZWJzaXRlcywgaGFjayBpbnRvIGRhdGFi
YXNlcyBvciB0cmFkZSB3aXRoIGZyYXVkL3N0b2xlbiBtYXRlcmlhbC4KCkRvbWFpbnM6ICAgIHd3
dy52dWxuZXJhYmlsaXR5LWxhYi5jb20gICAJLSB3d3cudnVsbi1sYWIuY29tCQkJICAgICAgIAkJ
LSB3d3cuZXZvbHV0aW9uLXNlYy5jb20KQ29udGFjdDogICAgYWRtaW5AdnVsbmVyYWJpbGl0eS1s
YWIuY29tIAktIHJlc2VhcmNoQHZ1bG5lcmFiaWxpdHktbGFiLmNvbSAJICAgICAgIAkJLSBhZG1p
bkBldm9sdXRpb24tc2VjLmNvbQpTZWN0aW9uOiAgICBtYWdhemluZS52dWxuZXJhYmlsaXR5LWRi
LmNvbQktIHZ1bG5lcmFiaWxpdHktbGFiLmNvbS9jb250YWN0LnBocAkJICAgICAgIAktIGV2b2x1
dGlvbi1zZWMuY29tL2NvbnRhY3QKU29jaWFsOgkgICAgdHdpdHRlci5jb20vIyEvdnVsbl9sYWIg
CQktIGZhY2Vib29rLmNvbS9WdWxuZXJhYmlsaXR5TGFiIAkgICAgICAgCQktIHlvdXR1YmUuY29t
L3VzZXIvdnVsbmVyYWJpbGl0eTBsYWIKRmVlZHM6CSAgICB2dWxuZXJhYmlsaXR5LWxhYi5jb20v
cnNzL3Jzcy5waHAJLSB2dWxuZXJhYmlsaXR5LWxhYi5jb20vcnNzL3Jzc191cGNvbWluZy5waHAg
ICAJCS0gdnVsbmVyYWJpbGl0eS1sYWIuY29tL3Jzcy9yc3NfbmV3cy5waHAKUHJvZ3JhbXM6ICAg
dnVsbmVyYWJpbGl0eS1sYWIuY29tL3N1Ym1pdC5waHAgIAktIHZ1bG5lcmFiaWxpdHktbGFiLmNv
bS9saXN0LW9mLWJ1Zy1ib3VudHktcHJvZ3JhbXMucGhwCS0gdnVsbmVyYWJpbGl0eS1sYWIuY29t
L3JlZ2lzdGVyLwoKQW55IG1vZGlmaWVkIGNvcHkgb3IgcmVwcm9kdWN0aW9uLCBpbmNsdWRpbmcg
cGFydGlhbGx5IHVzYWdlcywgb2YgdGhpcyBmaWxlIHJlcXVpcmVzIGF1dGhvcml6YXRpb24gZnJv
bSBWdWxuZXJhYmlsaXR5IExhYm9yYXRvcnkuIFBlcm1pc3Npb24gdG8gCmVsZWN0cm9uaWNhbGx5
IHJlZGlzdHJpYnV0ZSB0aGlzIGFsZXJ0IGluIGl0cyB1bm1vZGlmaWVkIGZvcm0gaXMgZ3JhbnRl
ZC4gQWxsIG90aGVyIHJpZ2h0cywgaW5jbHVkaW5nIHRoZSB1c2Ugb2Ygb3RoZXIgbWVkaWEsIGFy
ZSByZXNlcnZlZCBieSAKVnVsbmVyYWJpbGl0eS1MYWIgUmVzZWFyY2ggVGVhbSBvciBpdHMgc3Vw
cGxpZXJzLiBBbGwgcGljdHVyZXMsIHRleHRzLCBhZHZpc29yaWVzLCBzb3VyY2UgY29kZSwgdmlk
ZW9zIGFuZCBvdGhlciBpbmZvcm1hdGlvbiBvbiB0aGlzIHdlYnNpdGUgCmlzIHRyYWRlbWFyayBv
ZiB2dWxuZXJhYmlsaXR5LWxhYiB0ZWFtICYgdGhlIHNwZWNpZmljIGF1dGhvcnMgb3IgbWFuYWdl
cnMuIFRvIHJlY29yZCwgbGlzdCAoZmVlZCksIG1vZGlmeSwgdXNlIG9yIGVkaXQgb3VyIG1hdGVy
aWFsIGNvbnRhY3QgCihhZG1pbkB2dWxuZXJhYmlsaXR5LWxhYi5jb20gb3IgcmVzZWFyY2hAdnVs
bmVyYWJpbGl0eS1sYWIuY29tKSB0byBnZXQgYSBwZXJtaXNzaW9uLgoKCQkJCUNvcHlyaWdodCDC
qSAyMDE0IHwgVnVsbmVyYWJpbGl0eSBMYWJvcmF0b3J5IC0gRXZvbHV0aW9uIFNlY3VyaXR5IEdt
Ykgg4oSiCgoKCi0tIApWVUxORVJBQklMSVRZIExBQk9SQVRPUlkgLSBSRVNFQVJDSCBURUFNClNF
UlZJQ0U6IHd3dy52dWxuZXJhYmlsaXR5LWxhYi5jb20KQ09OVEFDVDogcmVzZWFyY2hAdnVsbmVy
YWJpbGl0eS1sYWIuY29tClBHUCBLRVk6IGh0dHA6Ly93d3cudnVsbmVyYWJpbGl0eS1sYWIuY29t
L2tleXMvYWRtaW5AdnVsbmVyYWJpbGl0eS1sYWIuY29tJTI4MHgxOThFOTkyOCUyOS50eHQKCgoK
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KU2VudCB0aHJv
dWdoIHRoZSBGdWxsIERpc2Nsb3N1cmUgbWFpbGluZyBsaXN0Cmh0dHBzOi8vbm1hcC5vcmcvbWFp
bG1hbi9saXN0aW5mby9mdWxsZGlzY2xvc3VyZQpXZWIgQXJjaGl2ZXMgJiBSU1M6IGh0dHA6Ly9z
ZWNsaXN0cy5vcmcvZnVsbGRpc2Nsb3N1cmUv