CVE-2013-3572

Step 1: Payload Delivery: An attacker crafts a malicious hostname containing a JavaScript payload (e.g., <script>alert('XSS')</script>). Step 2: Hostname Assignment: The attacker associates the malicious hostname with a client device, either by configuring the device directly or by manipulating DHCP settings. Step 3: Data Storage: The UniFi Controller stores the malicious hostname in its database without proper sanitization. Step 4: Administrator Access: An administrator logs into the UniFi Controller's web interface. Step 5: Information Retrieval: The administrator navigates to a page that displays client information, including the hostname. Step 6: Payload Execution: The UniFi Controller retrieves the malicious hostname from the database and renders it in the administrator's browser without proper encoding. The injected JavaScript payload executes within the administrator's browser context. Step 7: Exploitation: The injected JavaScript can perform various malicious actions, such as stealing the administrator's session cookies, redirecting the administrator to a phishing site, or executing arbitrary code within the administrator's browser.

The vulnerability stems from insufficient input validation and output encoding within the UniFi Controller's administer interface. Specifically, the software fails to properly sanitize the client hostname before displaying it within the web interface. This allows an attacker to inject malicious JavaScript code into the hostname field. When the administrator views the client's information, the injected script executes within the context of the administrator's browser, enabling the attacker to steal session cookies, redirect the administrator to a phishing site, or execute other malicious actions. The root cause is a lack of proper input validation and output encoding (e.g., HTML escaping) of the client hostname data when rendered in the administrator interface. This allows for the injection of arbitrary HTML and JavaScript.