Document Title:
===============
Barracuda MAS - (ldap_load_entry.cgi) XSS Vulnerability
Date:
=====
2018-11-12
References:
===========
https://www.vulnerability-lab.com/get_content.php?id=2168
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20369
CVE-ID:
=====
CVE-2018-20369
VL-ID:
=====
2168
Common Vulnerability Scoring System:
====================================
4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Abstract:
=========
The vulnerability laboratory core research team discovered a client-side cross site vulnerability in the Barracuda Networks MAS appliance web-application.
Report-Timeline:
================
2018-11-12: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Barracuda Networks
Product: CC MAS - Appliance (Web-Application) v2018 MA
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A client-side cross site scripting web vulnerability has been discovered in the official Barracuda Networks MAS 2018 appliance web-application.
The non-persistent vulnerability allows remote attackers inject own malicious script code to client-side web-application requests.
The client-side cross site web vulnerability is located in the `error_msg` exception-handling value of the `ldap_load_entry.cgi` module.
Remote attackers are able to prepare malicious client-side application request to compromise appliance application accounts. The injection
point of the issue is the vulnerable `Add_Update` module and the execution occurs in the wrong encoded exception-handling output on
inseration of invalid contents. The attack vector of the issue is located on the client-side of the service and the request method to
execute the injected code is POST (Referer).
Exploitation of the client-side remote vulnerability requires low or medium user interaction and a low privileged application user account.
Successful exploitation leads to customer account theft through hijacking, client-side phishing, client-side external redirects, and
client-side manipulation of the web context of the affected and connected device module.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] LDAP User - Add_Update
Vulnerable File(s):
[+] ldap_load_entry.cgi
Vulnerable Parameter(s):
[+] error_msg (Exception-Handling)
Proof of Concept:
=================
The client-side vulnerability can be exploited by remote attackers and local low privileged application user account with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Payload: Test
payload>"
payload>"
PoC: Exploitation
https://mas.localhost:6211/cgi-mod/ldap_load_entry.cgi?user=guest&password=XXX&et=XXX&ldap_user=payload>"