MVSA-08-002

 
CVE:
CVE-2008-0971
Vendor:
Barracuda Networks
Products:
Barracuda Message Archiver
Barracuda Spam Firewall
Barracuda Web Filter
Barracuda IM Firewall
Barracuda Load Balancer

Vulnerabilities:
Multiple Persistent and Reflected XSS
Risk:
Medium
Attack Vector:
From Remote
Authentication:
Required
References:
Original Advisory: http://dcsl.ul.ie/advisories/03.html
Barracuda Tech Alerts: http://www.barracudanetworks.com/ns/support/tech_alert.php

 
Description
 
Barracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. Barracuda Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, enable access to Intranet available servers, etc.
 
The index.cgi resource was identified as being susceptible to multiple persistent and reflected Cross Site Scripting (XSS) attacks.
  1. Persistent XSS in Barracuda Message Archiver
    In Search Based Retention Policy, the Policy Name field allows persistent XSS when set to something like 
    policy_name" onblur="alert('xss')
  2. Reflected XSS in Barracuda Message Archiver
    Setting various parameters in IP Configuration, Administration, Journal Accounts, Retention Policy, and GroupWise Sync allow 
    reflected XSS attacks.
  3. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter
    • User provided input is not sanitised when displayed as part of error messages - identified in all verified products.
    • User provided input is not sanitised when used to perform various searches - identified in Barracuda Web Filter.
    • Manipulation of HTML INPUT hidden elements - identified in all verified products, e.g auth_type INPUT hidden element allows a reflected XSS attack when set to something like Local"><script>alert('xss')</script>

Affected Versions


Barracuda Message Archiver Release 1.1.0.010 (2008-02-15) and earlier
Barracuda Spam Firewall Release 3.5.11.020 (2008-02-26) and earlier
Barracuda Web Filter Release 3.3.0.038 (2008-02-19) and earlier
Barracuda IM Firewall Release 3.0.01.008 (2008-02-05) and earlier
Barracuda Load Balancer Release 2.2.006 (2008-09-05) and earlier

Mitigation

 

Vendor recommends upgrading to the following firmware version:
 
Barracuda IM Firewall (Firmware v3.1.01.017)
Barracuda Message Archiver (Firmware v1.2.1.002)
Barracuda Spam Firewall (Firmware v3.5.12.001)
Barracuda Web Filter (Firmware v3.3.0.052)
Barracuda Load Balancer (Firmware v2.3.024)
 
Alternatively, please contact Barracuda Networks for technical support. 

Disclosure Timeline

16 June 2008: Vulnerabilities discovered and documented
16 June 2008: Vendor notified
15 December 2008: Original advisory published
 

MVSA-08-002
Dr. Marian Ventuneac

Comments