The administration service web pages on the Brother MFC-J4410DW model printer are vulnerable to reflected cross-site scripting through the “url” querystring parameter. This allows a user’s session to be hijacked or allows an attacker to take control of the user’s browser. For cross-site scripting to be exploited by an attacker, a victim needs to visit a specially crafted link created by the attacker, for example sent to the victim in an email.
The following proof of concept example demonstrates this vulnerability. Note that all pages which process this querystring parameter are also be vulnerable.
https://printer/general/status.html?url="/><script>alert("XSS!")</script><input%20type="hidden"%20value="#<form method="post" action="/general/status.html">
<div>Login<input type="password" id="LogBox" name="Nd0" />
<input type="hidden" name="loginurl" value="/general/status.html?url="/><script>alert("XSS!")</script><input%20type="hidden"%20value=""/>
<input id="login" type="submit" value=" " />
</div>
</form>
While cross-site scripting is a well-known flaw that is being widely used in phishing attacks, it requires an element of social engineering in order to be successful. As this web page would typically be accessible only from within an organisation an attacker would either require knowledge of internal systems, or would be using this in combination with other, more targeted attacks. This issue does, however, highlight the need to consider all network connected assets, such as printers, in a technical vulnerability management process.
For more information on this particular example, review BID 71911 (https://www.securityfocus.com/bid/71911). For general information on cross-site scripting, and on measures which can be used to prevent it, review the Open Web Application Security Project article at https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.