ID PACKETSTORM:73065 Type packetstorm Reporter Dr. Marian Ventuneac Modified 2008-12-16T00:00:00
Description
`
CVE Numbers: CVE-2008-0971
Vulnerabilities: Multiple Cross-Site Scripting (Persistent & Reflected)
Risk: Medium
Attack vector: From Remote
Vulnerabilities Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th December 2008
Abstract
Barracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. Barracuda Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack,
access to Intranet available servers, etc.
Description
The index.cgi resource was identified as being susceptible to multiple persistent and reflected Cross Site Scripting (XSS)
attacks.
a. Persistent XSS in Barracuda Message Archiver
In Search Based Retention Policy, the Policy Name field allows persistent XSS when set to something like policy_name" onblur="alert('xss')
b. Reflected XSS in Barracuda Message Archiver
Setting various parameters in IP Configuration, Administration, Journal Accounts, Retention Policy, and GroupWise Sync allow
reflected XSS attacks.
c. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter
· User provided input is not sanitised when displayed as part of error messages - identified in all verified products.
· User provided input is not sanitised when used to perform various searches - identified in Barracuda Web Filter.
· Manipulation of HTML INPUT hidden elements - identified in all verified products.
e.g auth_type INPUT hidden element allows a reflected XSS attack when set to something like
Local"><script>alert('xss')</script>
Original Advisory:
http://dcsl.ul.ie/advisories/03.htm
Barracuda Networks Technical Alert
http://www.barracudanetworks.com/ns/support/tech_alert.php
Affected Versions
Barracuda Message Archiver (Firmware v1.1.0.010, Model 350)
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Barracuda Web Filter (Firmware v3.3.0.038, Model 910)
Barracuda IM Firewall (Firmware v3.0.01.008, Model 420)
Other models/firmware versions might be affected.
Mitigation
Vendor recommends upgrading to the following firmware version:
Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
Barracuda Load Balancer Release 2.3.024 (2008-10-20)
Alternatively, please contact Barracuda Networks for technical support.
Credits
Dr. Marian Ventuneac, marian.ventuneac@ul.ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick
Disclaimer
Data Communication Security Laboratory releases this information with the vendor acceptance. DCSL is not responsible for any malicious application of the information presented in this advisory.
`
{"id": "PACKETSTORM:73065", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Barracuda Message Archiver", "description": "", "published": "2008-12-16T00:00:00", "modified": "2008-12-16T00:00:00", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://packetstormsecurity.com/files/73065/Barracuda-Message-Archiver.html", "reporter": "Dr. Marian Ventuneac", "references": [], "cvelist": ["CVE-2008-0971"], "lastseen": "2016-12-05T22:25:07", "viewCount": 2, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2016-12-05T22:25:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-0971"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9522"]}, {"type": "nessus", "idList": ["BARRACUDA_SPAM_FIREWALL_3_5_12_007.NASL"]}], "modified": "2016-12-05T22:25:07", "rev": 2}, "vulnersScore": 5.2}, "sourceHref": "https://packetstormsecurity.com/files/download/73065/barracudama-xss.txt", "sourceData": "` \nCVE Numbers: CVE-2008-0971 \nVulnerabilities: Multiple Cross-Site Scripting (Persistent & Reflected) \nRisk: Medium \nAttack vector: From Remote \n \nVulnerabilities Discovered: 16th June 2008 \nVendor Notified: 16th June 2008 \nAdvisory Released: 15th December 2008 \n \n \nAbstract \n \nBarracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. Barracuda Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, \naccess to Intranet available servers, etc. \n \n \nDescription \n \nThe index.cgi resource was identified as being susceptible to multiple persistent and reflected Cross Site Scripting (XSS) \nattacks. \n \na. Persistent XSS in Barracuda Message Archiver \n \nIn Search Based Retention Policy, the Policy Name field allows persistent XSS when set to something like policy_name\" onblur=\"alert('xss') \n \nb. Reflected XSS in Barracuda Message Archiver \n \nSetting various parameters in IP Configuration, Administration, Journal Accounts, Retention Policy, and GroupWise Sync allow \nreflected XSS attacks. \n \nc. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter \n \n\u00b7 User provided input is not sanitised when displayed as part of error messages - identified in all verified products. \n\u00b7 User provided input is not sanitised when used to perform various searches - identified in Barracuda Web Filter. \n\u00b7 Manipulation of HTML INPUT hidden elements - identified in all verified products. \ne.g auth_type INPUT hidden element allows a reflected XSS attack when set to something like \nLocal\"><script>alert('xss')</script> \n \n \nOriginal Advisory: \n \nhttp://dcsl.ul.ie/advisories/03.htm \n \n \nBarracuda Networks Technical Alert \n \nhttp://www.barracudanetworks.com/ns/support/tech_alert.php \n \n \nAffected Versions \n \nBarracuda Message Archiver (Firmware v1.1.0.010, Model 350) \nBarracuda Spam Firewall (Firmware v3.5.11.020, Model 600) \nBarracuda Web Filter (Firmware v3.3.0.038, Model 910) \nBarracuda IM Firewall (Firmware v3.0.01.008, Model 420) \n \nOther models/firmware versions might be affected. \n \n \nMitigation \n \nVendor recommends upgrading to the following firmware version: \n \nBarracuda Message Archiver Release 1.2.1.002 (2008-07-22) \nBarracuda Spam Firewall Release 3.5.12.007 (2008-10-24) \nBarracuda Web Filter Release 3.3.0.052 (2008-08-04) \nBarracuda IM Firewall Release 3.1.01.017 (2008-07-02) \nBarracuda Load Balancer Release 2.3.024 (2008-10-20) \n \nAlternatively, please contact Barracuda Networks for technical support. \n \n \nCredits \n \nDr. Marian Ventuneac, marian.ventuneac@ul.ie \nData Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick \n \n \nDisclaimer \n \nData Communication Security Laboratory releases this information with the vendor acceptance. DCSL is not responsible for any malicious application of the information presented in this advisory. \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:35:12", "description": "Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Barracuda Spam Firewall (BSF) before 3.5.12.007, Message Archiver before 1.2.1.002, Web Filter before 3.3.0.052, IM Firewall before 3.1.01.017, and Load Balancer before 2.3.024 allow remote attackers to inject arbitrary web script or HTML via (1) the Policy Name field in Search Based Retention Policy in Message Archiver; unspecified parameters in the (2) IP Configuration, (3) Administration, (4) Journal Accounts, (5) Retention Policy, and (6) GroupWise Sync components in Message Archiver; (7) input to search operations in Web Filter; and (8) input used in error messages and (9) hidden INPUT elements in (a) Spam Firewall, (b) IM Firewall, and (c) Web Filter.", "edition": 6, "cvss3": {}, "published": "2008-12-19T17:30:00", "title": "CVE-2008-0971", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-0971"], "modified": "2018-10-15T22:03:00", "cpe": ["cpe:/h:barracuda_networks:barracuda_im_firewall:3.0.01.008", "cpe:/h:barracuda_networks:barracuda_load_balancer:2.2.006", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.5.11.020", "cpe:/h:barracuda_networks:barracuda_web_filter:3.3.0.038", "cpe:/h:barracuda_networks:barracuda_message_archiver:1.1.0.010"], "id": "CVE-2008-0971", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0971", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:h:barracuda_networks:barracuda_im_firewall:3.0.01.008:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_message_archiver:1.1.0.010:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_web_filter:3.3.0.038:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_load_balancer:2.2.006:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.5.11.020:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:09:31", "bulletinFamily": "software", "cvelist": ["CVE-2008-1094", "CVE-2008-0971"], "description": "Crossite scripting, SQL injection (in Barracuda Spam Firewall)", "edition": 1, "modified": "2008-12-17T00:00:00", "published": "2008-12-17T00:00:00", "id": "SECURITYVULNS:VULN:9522", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9522", "title": "Barracuda mail filtering applications multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-20T09:25:09", "description": "The remote Barracuda Spam Firewall device is using a firmware version\nprior to version 3.5.12.007. It is, therefore, reportedly affected by\nseveral issues :\n\n - There is a remote SQL injection vulnerability\n involving the 'pattern_x' parameter (where x=0...n) of\n the 'cgi-bin/index.cgi' script when 'filter_x' is set to\n 'search_count_equals'. Successful exploitation requires\n credentials. (CVE-2008-1094)\n\n - There are multiple cross-site scripting vulnerabilities\n due to a failure to sanitize user input when displaying\n error messages and involving multiple hidden input\n elements. (CVE-2008-0971)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported firmware version.", "edition": 28, "published": "2008-12-19T00:00:00", "title": "Barracuda Spam Firewall < 3.5.12.007 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1094", "CVE-2008-0971"], "modified": "2008-12-19T00:00:00", "cpe": ["cpe:/h:barracuda_networks:barracuda_spam_firewall"], "id": "BARRACUDA_SPAM_FIREWALL_3_5_12_007.NASL", "href": "https://www.tenable.com/plugins/nessus/35224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35224);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-0971\", \"CVE-2008-1094\");\n script_bugtraq_id(32867);\n script_xref(name:\"Secunia\", value:\"33164\");\n script_xref(name:\"EDB-ID\", value:\"7496\");\n\n script_name(english:\"Barracuda Spam Firewall < 3.5.12.007 Multiple Vulnerabilities\");\n script_summary(english:\"checks firmware version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains CGI scripts that are affected by\nseveral issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Barracuda Spam Firewall device is using a firmware version\nprior to version 3.5.12.007. It is, therefore, reportedly affected by\nseveral issues :\n\n - There is a remote SQL injection vulnerability\n involving the 'pattern_x' parameter (where x=0...n) of\n the 'cgi-bin/index.cgi' script when 'filter_x' is set to\n 'search_count_equals'. Successful exploitation requires\n credentials. (CVE-2008-1094)\n\n - There are multiple cross-site scripting vulnerabilities\n due to a failure to sanitize user input when displaying\n error messages and involving multiple hidden input\n elements. (CVE-2008-0971)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported firmware version.\");\n # http://web.archive.org/web/20081225112423/http://dcsl.ul.ie/advisories/02.htm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4d7c04e2\");\n # http://web.archive.org/web/20130308061107/http://dcsl.ul.ie/advisories/03.htm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6e6d7709\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2008/Dec/174\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2008/Dec/175\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.barracuda.com/support/techalerts\");\n script_set_attribute(attribute:\"solution\", value:\"Update to firmware release 3.5.12.007 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 89);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/12/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:barracuda_networks:barracuda_spam_firewall\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"barracuda_detect.nasl\");\n script_require_ports(\"Services/www\", 8000);\n script_require_keys(\"www/barracuda_spamfw\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:8000, embedded:TRUE);\nproduct = \"Barracuda Spam Firewall\";\n\ninstall = get_install_from_kb(\n appname : \"barracuda_spamfw\",\n port : port,\n exit_on_fail:TRUE\n);\ndir = install[\"dir\"];\nfirmware = install[\"ver\"];\n\nif (firmware == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_SERVER_VER, product, port);\n\nfix = \"3.5.12.007\";\nif (ver_compare(ver:firmware, fix:fix, strict:FALSE) < 0)\n{\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n Product : ' + product +\n '\\n URL : ' + build_url(qs:dir, port:port) +\n '\\n Installed Version : ' + firmware +\n '\\n Fixed Version : ' + fix + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, product, port, firmware);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
