Vulnerability Type / Importance: Cross-Site Scripting (Reflected) /
Medium
Problem Discovered 24 April 2008
Vendor Contacted 24 April 2008
Advisory Published 22 May 2008
Abstract
The Barracuda Spam Firewall device web administration interface is
vulnerable to a reflected cross-site scripting vulnerability which may
allow theft of administrative credentials or downloading of malicious
content.
Description:
The Barracuda device presents LDAP testing functionality via a script
called 'ldap_test.cgi'. The script does not sufficiently validate
user-supplied input within the 'email' parameter. As a result,
client-supplied script code can be injected into the 'email' parameter
that would execute in the browser within the security context of the
Barracuda device.
Vendor information:
http://www.barracudanetworks.com/ns/support/tech_alert.php
Access to the web management application can be limited by IP address.
Firmware release 3.5.11.025 has been released by the vendor to address
this issue; however the patch has not been tested by IRM.
Tested/Affected Versions:
IRM confirmed the presence of this vulnerability in Barracuda Spam
Firewall 600 Firmware 3.5.11.020.
The vendor has confirmed the issue exists in all versions prior to
3.5.11.025.
Credits
Research and Advisory: Information Risk Management Plc.
About IRM:
Information Risk Management Plc (IRM) is a vendor independent
information risk consultancy, founded in 1998. IRM has become a leader
in client side risk assessment, technical level auditing and in the
research and development of security vulnerabilities and tools. IRM is
headquartered in London with Technical Centres in Europe and Asia as
well as Regional Offices in the Far East and North America. Please visit
our website at www.irmplc.com for further information.
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the
hope that it will be useful. Information Risk Management Plc is not
responsible for any risks or occurrences caused by the application of
this information.
{"id": "SECURITYVULNS:DOC:19900", "bulletinFamily": "software", "title": "IRM Security Advisory : Barracuda Networks Spam Firewall Cross-Site Scripting Vulnerability", "description": "Barracuda Networks Spam Firewall Cross-Site Scripting Vulnerability\r\nCVE Number: CVE-2008-2333\r\n\r\n\r\nVulnerability Type / Importance: Cross-Site Scripting (Reflected) /\r\nMedium\r\n\r\nProblem Discovered 24 April 2008\r\nVendor Contacted 24 April 2008\r\nAdvisory Published 22 May 2008\r\n\r\nAbstract\r\nThe Barracuda Spam Firewall device web administration interface is\r\nvulnerable to a reflected cross-site scripting vulnerability which may\r\nallow theft of administrative credentials or downloading of malicious\r\ncontent.\r\n\r\nDescription:\r\n\r\nThe Barracuda device presents LDAP testing functionality via a script\r\ncalled 'ldap_test.cgi'. The script does not sufficiently validate\r\nuser-supplied input within the 'email' parameter. As a result,\r\nclient-supplied script code can be injected into the 'email' parameter\r\nthat would execute in the browser within the security context of the\r\nBarracuda device.\r\nVendor information:\r\nhttp://www.barracudanetworks.com/ns/support/tech_alert.php\r\n\r\nProof of Concept:\r\n\r\nhttps://<vulnerable_host>/cgi-bin/ldap_test.cgi?host=127.0.0.1&port=1&tl\r\ns_mode=tls_mode&tls_require=&username=&password=&filter=&searchbase=&uni\r\nque_attr=&email_attr=&domain=*&email=%3Cscript%3Ealert(document.cookie)%\r\n3C/script%3E\r\n\r\nMitigation:\r\n\r\nAccess to the web management application can be limited by IP address.\r\nFirmware release 3.5.11.025 has been released by the vendor to address\r\nthis issue; however the patch has not been tested by IRM.\r\n\r\nTested/Affected Versions:\r\n\r\nIRM confirmed the presence of this vulnerability in Barracuda Spam\r\nFirewall 600 Firmware 3.5.11.020.\r\nThe vendor has confirmed the issue exists in all versions prior to\r\n3.5.11.025.\r\n\r\nCredits\r\n\r\nResearch and Advisory: Information Risk Management Plc.\r\n\r\nAbout IRM:\r\n\r\nInformation Risk Management Plc (IRM) is a vendor independent\r\ninformation risk consultancy, founded in 1998. IRM has become a leader\r\nin client side risk assessment, technical level auditing and in the\r\nresearch and development of security vulnerabilities and tools. IRM is\r\nheadquartered in London with Technical Centres in Europe and Asia as\r\nwell as Regional Offices in the Far East and North America. Please visit\r\nour website at www.irmplc.com for further information.\r\n\r\nDisclaimer:\r\n\r\nAll information in this advisory is provided on an 'as is' basis in the\r\nhope that it will be useful. Information Risk Management Plc is not\r\nresponsible for any risks or occurrences caused by the application of\r\nthis information.", "published": "2008-05-24T00:00:00", "modified": "2008-05-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19900", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2008-2333"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:26", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-08-31T11:10:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-2333"]}, {"type": "nessus", "idList": ["BARRACUDA_LDAP_TEST_XSS.NASL"]}, {"type": "seebug", "idList": ["SSV:3326"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:66610"]}, {"type": "exploitdb", "idList": ["EDB-ID:31828"]}], "modified": "2018-08-31T11:10:26", "rev": 2}, "vulnersScore": 6.5}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T05:35:14", "description": "Cross-site scripting (XSS) vulnerability in ldap_test.cgi in Barracuda Spam Firewall (BSF) before 3.5.11.025 allows remote attackers to inject arbitrary web script or HTML via the email parameter.", "edition": 6, "cvss3": {}, "published": "2008-05-23T15:32:00", "title": "CVE-2008-2333", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2333"], "modified": "2018-10-11T20:40:00", "cpe": ["cpe:/h:barracuda_networks:barracuda_spam_firewall:3.1.16", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.4.10.102", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.3.15.026", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.1.17", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.3.3", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.1.10", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.3.03.055", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.5.11.020", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.3.01.001", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.1.18", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.3.0.54", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.4", "cpe:/h:barracuda_networks:barracuda_spam_firewall:3.3.03.053"], "id": "CVE-2008-2333", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2333", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.3.03.055:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.1.18:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.4.10.102:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.4:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.1.17:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.1.16:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.3.01.001:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.3.15.026:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.5.11.020:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.1.10:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.3.03.053:*:*:*:*:*:*:*", "cpe:2.3:h:barracuda_networks:barracuda_spam_firewall:3.3.0.54:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:24:22", "description": "", "published": "2008-05-22T00:00:00", "type": "packetstorm", "title": "barracuda-xss.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2333"], "modified": "2008-05-22T00:00:00", "id": "PACKETSTORM:66610", "href": "https://packetstormsecurity.com/files/66610/barracuda-xss.txt.html", "sourceData": "`Barracuda Networks Spam Firewall Cross-Site Scripting Vulnerability \nCVE Number: CVE-2008-2333 \n \n \nVulnerability Type / Importance: Cross-Site Scripting (Reflected) / \nMedium \n \nProblem Discovered 24 April 2008 \nVendor Contacted 24 April 2008 \nAdvisory Published 22 May 2008 \n \nAbstract \nThe Barracuda Spam Firewall device web administration interface is \nvulnerable to a reflected cross-site scripting vulnerability which may \nallow theft of administrative credentials or downloading of malicious \ncontent. \n \nDescription: \n \nThe Barracuda device presents LDAP testing functionality via a script \ncalled 'ldap_test.cgi'. The script does not sufficiently validate \nuser-supplied input within the 'email' parameter. As a result, \nclient-supplied script code can be injected into the 'email' parameter \nthat would execute in the browser within the security context of the \nBarracuda device. \nVendor information: \nhttp://www.barracudanetworks.com/ns/support/tech_alert.php \n \nProof of Concept: \n \nhttps://<vulnerable_host>/cgi-bin/ldap_test.cgi?host=127.0.0.1&port=1&tl \ns_mode=tls_mode&tls_require=&username=&password=&filter=&searchbase=&uni \nque_attr=&email_attr=&domain=*&email=%3Cscript%3Ealert(document.cookie)% \n3C/script%3E \n \nMitigation: \n \nAccess to the web management application can be limited by IP address. \nFirmware release 3.5.11.025 has been released by the vendor to address \nthis issue; however the patch has not been tested by IRM. \n \nTested/Affected Versions: \n \nIRM confirmed the presence of this vulnerability in Barracuda Spam \nFirewall 600 Firmware 3.5.11.020. \nThe vendor has confirmed the issue exists in all versions prior to \n3.5.11.025. \n \nCredits \n \nResearch and Advisory: Information Risk Management Plc. \n \nAbout IRM: \n \nInformation Risk Management Plc (IRM) is a vendor independent \ninformation risk consultancy, founded in 1998. IRM has become a leader \nin client side risk assessment, technical level auditing and in the \nresearch and development of security vulnerabilities and tools. IRM is \nheadquartered in London with Technical Centres in Europe and Asia as \nwell as Regional Offices in the Far East and North America. Please visit \nour website at www.irmplc.com for further information. \n \nDisclaimer: \n \nAll information in this advisory is provided on an 'as is' basis in the \nhope that it will be useful. Information Risk Management Plc is not \nresponsible for any risks or occurrences caused by the application of \nthis information. \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/66610/barracuda-xss.txt"}], "exploitdb": [{"lastseen": "2016-02-03T15:35:11", "description": "Barracuda Spam Firewall 3.5.11 'ldap_test.cgi' Cross-Site Scripting Vulnerability. CVE-2008-2333. Remote exploit for hardware platform", "published": "2008-05-22T00:00:00", "type": "exploitdb", "title": "Barracuda Spam Firewall <= 3.5.11 - 'ldap_test.cgi' Cross-Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2333"], "modified": "2008-05-22T00:00:00", "id": "EDB-ID:31828", "href": "https://www.exploit-db.com/exploits/31828/", "sourceData": "source: http://www.securityfocus.com/bid/29340/info\r\n\r\nBarracuda Spam Firewall is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.\r\n\r\nFirmware prior to Barracuda Spam Firewall 3.5.11.025 is vulnerable. \r\n\r\nhttps://www.example.com/cgi-bin/ldap_test.cgi?host=127.0.0.1&port=1&tl s_mode=tls_mode&tls_require=&username=&password=&filter=&searchbase=&uni que_attr=&email_attr=&domain=*&email=%3Cscript%3Ealert(document.cookie)% 3C/script%3E ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/31828/"}], "seebug": [{"lastseen": "2017-11-19T21:41:17", "description": "BUGTRAQ ID: 29340\r\nCVE(CAN) ID: CVE-2008-2333\r\n\r\nBarracuda Spam Firewall\u662f\u7528\u4e8e\u4fdd\u62a4\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u96c6\u6210\u786c\u4ef6\u548c\u8f6f\u4ef6\u5783\u573e\u90ae\u4ef6\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nBarracuda\u5783\u573e\u90ae\u4ef6\u9632\u706b\u5899\u8bbe\u5907\u7684web\u7ba1\u7406\u63a5\u53e3\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0cBarracuda\u8bbe\u5907\u901a\u8fc7ldap_test.cgi\u811a\u672c\u63d0\u4f9bLDAP\u6d4b\u8bd5\u529f\u80fd\uff0c\u8fd9\u4e2a\u811a\u672c\u6ca1\u6709\u5145\u5206\u7684\u9a8c\u8bc1\u7528\u6237\u5728email\u53c2\u6570\u4e2d\u6240\u63d0\u4f9b\u7684\u8f93\u5165\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5411\u7ba1\u7406\u63a5\u53e3\u63d0\u4ea4\u6076\u610f\u53c2\u6570\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u5bfc\u81f4\u5728\u6d4f\u89c8\u5668\u4e2d\u4ee5Barracuda\u8bbe\u5907\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nBarracuda Networks Barracuda Spam Firewall < 3.5.11.025\n Barracuda Networks\r\n------------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://www.barracudanetworks.com/ns/products/spam_overview.php target=_blank>http://www.barracudanetworks.com/ns/products/spam_overview.php</a>", "published": "2008-05-24T00:00:00", "type": "seebug", "title": "Barracuda\u5783\u573e\u90ae\u4ef6\u9632\u706b\u5899ldap_test.cgi\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2333"], "modified": "2008-05-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3326", "id": "SSV:3326", "sourceData": "\n https://<vulnerable_host>/cgi-bin/ldap_test.cgi?host=127.0.0.1&port=1&tls_mode=tls_mode&tls_require=&username=&password=&filter=&searchbase=&unique_attr=&email_attr=&domain=*&email=%3Cscript%3Ealert(d\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-3326", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-20T09:25:09", "description": "According to its firmware version, the remote Barracuda Spam Firewall\ndevice fails to filter input to the 'email' parameter of the\n'/cgi-bin/ldap_test.cgi' script before using it to generate dynamic\ncontent. An unauthenticated, remote attacker may be able to leverage\nthis issue to inject arbitrary HTML or script code into a user's\nbrowser to be executed within the security context of the affected\nsite.\n\nNote that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported firmware version.", "edition": 27, "published": "2008-05-23T00:00:00", "title": "Barracuda Spam Firewall cgi-bin/ldap_test.cgi email Parameter XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-2333"], "modified": "2008-05-23T00:00:00", "cpe": ["cpe:/h:barracuda_networks:barracuda_spam_firewall"], "id": "BARRACUDA_LDAP_TEST_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/32434", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32434);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-2333\");\n script_bugtraq_id(29340);\n script_xref(name:\"Secunia\", value:\"30362\");\n\n script_name(english:\"Barracuda Spam Firewall cgi-bin/ldap_test.cgi email Parameter XSS\");\n script_summary(english:\"Checks firmware version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a CGI script that is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its firmware version, the remote Barracuda Spam Firewall\ndevice fails to filter input to the 'email' parameter of the\n'/cgi-bin/ldap_test.cgi' script before using it to generate dynamic\ncontent. An unauthenticated, remote attacker may be able to leverage\nthis issue to inject arbitrary HTML or script code into a user's\nbrowser to be executed within the security context of the affected\nsite.\n\nNote that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported firmware version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/May/564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.barracuda.com/support/techalerts\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either configure the device to limit access to the web management\napplication by IP address or update to firmware release 3.5.11.025 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:barracuda_networks:barracuda_spam_firewall\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"barracuda_detect.nasl\");\n script_require_ports(\"Services/www\", 8000);\n script_require_keys(\"www/barracuda_spamfw\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:8000, embedded:TRUE);\nproduct = \"Barracuda Spam Firewall\";\n\n# Identify and check the firmware version.\ninstall = get_install_from_kb(\n appname : \"barracuda_spamfw\",\n port : port,\n exit_on_fail:TRUE\n);\ndir = install[\"dir\"];\nfirmware = install[\"ver\"];\n\nif (firmware == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_SERVER_VER, product, port);\n\nfix = \"3.5.11.025\";\nif (ver_compare(ver:firmware, fix:fix, strict:FALSE) < 0)\n{\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n if (report_verbosity)\n {\n report =\n '\\n Product : ' + product +\n '\\n URL : ' + build_url(qs:dir, port:port) +\n '\\n Installed Version : ' + firmware +\n '\\n Fixed Version : ' + fix + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, product, port, firmware);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
