Document Title: =============== Barracuda EMail Security 2.0.2 - Multiple Web Vulnerabilities Date: ===== 2012-07-31 References: =========== http://www.vulnerability-lab.com/get_content.php?id=621 http://www.vulnerability-lab.com/get_content.php?id=563 Barracuda Networks Security ID: BNSEC-304 VL-ID: ===== 621 Common Vulnerability Scoring System: ==================================== 4.1 Introduction: ============= The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks. Barracuda Email Security Service also includes email encryption and Data Loss Prevention features. The Barracuda Email Security Service leverages advanced security technologies from the industry-leading Barracuda Spam & Virus Firewall and features rich multiple cloud-based protection: Rate control and Denial of Service (DoS) protection Reputation-based blocking from known spam and malware sources Anti-virus, featuring the patent-pending Barracuda Anti-Virus Supercomputing Grid Anti-phishing, using the Barracuda Anti-Fraud Intelligence Protection against spam, phishing, fraud and emails with other malicious intent Custom sender/recipient policy Comprehensive Protection Spam and viruses are blocked in the cloud prior to delivery to the customer, saving network bandwidth and providing additional Denial of Service protection. In addition to network bandwidth savings, cloud-based filtering offloads any processing required for spam and virus filtering from the email server. By leveraging the compute capacity available in the cloud, patent-pending Barracuda Anti-Virus Supercomputing Grid not only detects new outbreaks similar to known viruses, it also identifies new threats for which signatures have never existed. (Copy of the Vendor Homepage: https://www.barracudanetworks.com/ns/products/bess_overview.php ) Abstract: ========= The Vulnerability Laboratory Research Team discovered an input filter bypass & 2 persistent web vulnerabilities in Barracudas EMail Security Application UI v2.0.2. Report-Timeline: ================ 2012-06-20: Researcher Notification & Coordination 2012-06-23: Vendor Notification 2012-07-01: Vendor Response/Feedback 2012-07-24: Vendor Fix/Patch 2012-08-01: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Barracuda Networks Product: EMail Security Appliance Application vUI 2.0.2 & older versions Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A filter bypass vulnerability & 2 persistent input validation vulnerabilities are detected in Barracudas EMail Security Application UI v2.0.2. The vulnerability allows an attacker (remote) to bypass the input validation & exception handling to inject or display own malicious persistent context on application-side (persistent). The vulnerabilities are located in the Domain Settings > Directory Services > LDAP Host module with the vulnerable bound name parameter. The second persistent vulnerability is located in the reports module with the bound vulnerable parameters start date & end date. Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin) or stable (persistent) context manipulation. Vulnerable Module(s): [+] Domain Settings > Directory Services > LDAP Host (/domains/info/4) [+] Reports (../reports) Vulnerale Parameter(s): [+] LDAP Host > NAME [+] Reports > Date Start & Date End Proof of Concept: ================= 1.1 The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action. For demonstration or reproduce ... Review: Domain Settings > Directory Services > LDAP Host

Directory Services

loading... Connecting to >"
Synchronize Now Test Settings

@gmail.com >"< div style="1@gmail.com 0" type="text"> URL: https://ess.127.0.0.1:1338/domains/info/4 PoC: >">"