SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Barracuda Spam Firewall Vendors:   Barracuda Networks
Barracuda Spam Firewall Input Validation Holes in 'index.cgi' Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1021454
SecurityTracker URL:  http://securitytracker.com/id/1021454
CVE Reference:   CVE-2008-0971   (Links to External Site)
Date:  Dec 17 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Model 600, firmware v3.5.11.020; possibly other versions
Description:   A vulnerability was reported in Barracuda Spam Firewall. A remote user can conduct cross-site scripting attacks.

The 'index.cgi' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target authenticated administrative user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Barracuda Spam Firewall device and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The Barracuda Message Archiver, Barracuda Web Filter, Barracuda Load Balancer, and Barracuda IM Firewall products are also affected.

The vendor was notified on June 16, 2008.

The original advisory is available at:

http://dcsl.ul.ie/advisories/03.htm

Dr. Marian Ventuneac of the Data Communication Security Laboratory, Department of Electronic and Computer Engineering, University of Limerick reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Barracuda Spam Firewall device, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (3.5.12.007 (2008-10-24)).

The vendor has also issued fixes for other affected products:

Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
Barracuda Load Balancer Release 2.3.024 (2008-10-20)

The vendor's advisory is available at:

http://www.barracudanetworks.com/ns/support/tech_alert.php

Vendor URL:  www.barracudanetworks.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  CVE-2008-0971 - Barracuda Networks products Multiple Cross-Site


CVE Numbers: CVE-2008-0971
Vulnerabilities: Multiple Cross-Site Scripting (Persistent & Reflected)
Risk: Medium
Attack vector: From Remote

Vulnerabilities Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th	December 2008


Abstract

Barracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. Barracuda
 Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. When exploited by an authenticated
 user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, 
access to Intranet available servers, etc.


Description

The index.cgi resource was identified as being susceptible to multiple persistent and reflected Cross Site Scripting (XSS) 
attacks. 

a. Persistent XSS in Barracuda Message Archiver 

In Search Based Retention Policy, the Policy Name field allows persistent XSS when set to something like policy_name" onblur="alert('xss')

b. Reflected XSS in Barracuda Message Archiver 

Setting various parameters in IP Configuration, Administration, Journal Accounts, Retention Policy, and GroupWise Sync allow 
reflected XSS attacks.

c. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter

  e.g auth_type INPUT hidden element allows a reflected XSS attack when set to something like 
 Local"><script>alert('xss')</script>


Original Advisory:

http://dcsl.ul.ie/advisories/03.htm


Barracuda Networks Technical Alert

http://www.barracudanetworks.com/ns/support/tech_alert.php


Affected Versions

Barracuda Message Archiver (Firmware v1.1.0.010, Model 350)
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Barracuda Web Filter (Firmware v3.3.0.038, Model 910)
Barracuda IM Firewall (Firmware v3.0.01.008, Model 420)

Other models/firmware versions might be affected.


Mitigation

Vendor recommends upgrading to the following firmware version:

Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
Barracuda Load Balancer Release 2.3.024 (2008-10-20)

Alternatively, please contact Barracuda Networks for technical support.


Credits

Dr. Marian Ventuneac, marian.ventuneac@ul.ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick


Disclaimer

Data Communication Security Laboratory releases this information with the vendor acceptance. DCSL is not responsible for any malicious
 application of the information presented in this advisory. 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC