Barracuda 垃圾邮件防火墙 多文件参数跨站攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184264 漏洞类型 跨站脚本
发布时间 2008-12-19 更新时间 2009-01-29
CVE编号 CVE-2008-0971 CNNVD-ID CNNVD-200812-369
漏洞平台 N/A CVSS评分 3.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2008120040
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-369
|漏洞详情
BarracudaSpamFirewall是用于保护邮件服务器的集成硬件和软件垃圾邮件解决方案。BarracudaSpamFirewall(BSF)3.5.12.007以前版本,MessageArchiver1.2.1.002以前版本,WebFilter3.3.0.052,IMFirewall3.1.01.017以前版本和LoadBalancer2.3.024以前版本中的'index.cgi'存在多个跨站攻击漏洞,允许攻击者通过多种方式插入任意脚本。
|漏洞EXP
 CVE Numbers: CVE-2008-0971
Vulnerabilities: Multiple Cross-Site Scripting (Persistent & Reflected)
Risk: Medium
Attack vector: From Remote

Vulnerabilities Discovered: 16th June 2008
Vendor Notified: 16th June 2008
Advisory Released: 15th	December 2008


Abstract

Barracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. Barracuda Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, 
access to Intranet available servers, etc.


Description

The index.cgi resource was identified as being susceptible to multiple persistent and reflected Cross Site Scripting (XSS) 
attacks. 

a. Persistent XSS in Barracuda Message Archiver 

In Search Based Retention Policy, the Policy Name field allows persistent XSS when set to something like policy_name" onblur="alert('xss')

b. Reflected XSS in Barracuda Message Archiver 

Setting various parameters in IP Configuration, Administration, Journal Accounts, Retention Policy, and GroupWise Sync allow 
reflected XSS attacks.

c. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter

  ·  User provided input is not sanitised when displayed as part of error messages - identified in all verified products.
  ·  User provided input is not sanitised when used to perform various searches - identified in Barracuda Web Filter.
  ·  Manipulation of HTML INPUT hidden elements - identified in all verified products.
  e.g auth_type INPUT hidden element allows a reflected XSS attack when set to something like 
 Local"><script>alert('xss')</script>


Original Advisory:

http://dcsl.ul.ie/advisories/03.htm


Barracuda Networks Technical Alert

http://www.barracudanetworks.com/ns/support/tech_alert.php


Affected Versions

Barracuda Message Archiver (Firmware v1.1.0.010, Model 350)
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Barracuda Web Filter (Firmware v3.3.0.038, Model 910)
Barracuda IM Firewall (Firmware v3.0.01.008, Model 420)

Other models/firmware versions might be affected.


Mitigation

Vendor recommends upgrading to the following firmware version:

Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
Barracuda Load Balancer Release 2.3.024 (2008-10-20)

Alternatively, please contact Barracuda Networks for technical support.


Credits

Dr. Marian Ventuneac, marian.ventuneac_at_ul&#46;ie
Data Communication Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick


Disclaimer

Data Communication Security Laboratory releases this information with the vendor acceptance. DCSL is not responsible for any malicious application of the information presented in this advisory. 
|参考资料

来源:BUGTRAQ
名称:20081216CVE-2008-0971-BarracudaNetworksproductsMultipleCross-SiteScriptingVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/499294/100/0/threaded
来源:OSVDB
名称:50709
链接:http://www.osvdb.org/50709
来源:www.barracudanetworks.com
链接:http://www.barracudanetworks.com/ns/support/tech_alert.php
来源:SECTRACK
名称:1021454
链接:http://securitytracker.com/id?1021454
来源:SREASON
名称:4792
链接:http://securityreason.com/securityalert/4792
来源:SECUNIA
名称:33164
链接:http://secunia.com/advisories/33164
来源:MISC
链接:http://dcsl.ul.ie/advisories/03.htm