Disclosure: Barracuda Spam Firewall XSS & Hashed Password Disclosure

[This was originally published on OSVDB, now gone, and touched up slightly for style. Mirrored on attrition.org. VulnDB 20878 & 20879]

From: Jericho jericho@xxxxx.net
To: support(at)barracudanetworks.com
Cc: netsupport@xxxxx.net
Date: Fri, 01 Jul 2005 03:37:18 -0600
Subject: Barracuda Spam Firewall Cross Site Scripting (XSS) Vulnerabilities


My ISP uses the Barracuda Networks Spam Firewall, Firmware v3.1.17 (2005-08-06 11:48:38). When editing my e-mail account preferences, I noticed that a few fields were prone to cross site scripting (XSS) attacks.

The URL:

http://[my isp]:8000/cgi-bin/index.cgi

Pages – Fields:

Whitelist/Blacklist – Email Address field add_user_scana_sender_allow and add_user_scana_sender_block form fields

Quarantine Settings – Notification Address
UPDATE_user_quarantine_email_address field

Put the following text into the field, and it will render the script:

A second issue I noticed, my e-mail account password is stored as an encoded value in a hidden field. The password (encoded) is also used in various HREFs, causing it to be visible in the browser. This means it is transmitted without the protection of SSL encryption, a known secure standard.


Barracuda Networks
Barracuda Spam Firewall
Firmware v3.1.17 (2005-08-06 11:48:38)

Subject: xxxxx Ticket-No.378972
Date: Fri, 01 Jul 2005 09:14:03 -0600
From: netsupport@xxxxx.net
To: jericho@xxxxx.net

[===> Please enter your reply below this line <===]

[===> Please enter your reply above this line <===]

Your Ticket: 378972
Description: Barracuda Email Concerns/Questions

This action has been taken:
Note added: xxxxx

These notes are included:

Hi Brian –

I’ve reviewed the email you sent to Barracuda, and would like to point out a few things. First, the barracuda interface does not use cookies to store any data, so the effects of the XSS vulnerability you described are minimized. Second, the password field is hashed against another token that seems to be very specific to your current session. The URL can not be reused from another location, so even if you were using the interface off our network and someone was able to sniff the URL, they would not be able to use those tokens to gain access to your quarantine interface. The only “portable” URL tokens are in the quarantine reports that are sent to you. If using these links causes you concern, you can generate a password to log into the interface which will not involve any such “portable” login tokens.

Finally, if you do set up a password, you can login at https://barracuda.xxxxx.net which uses a self-signed certificate. This
still uses the authentication tokens in the!
URL, but as noted, they are not reusable from another location. Please
let me know if you have any other questions or concerns, and I will be
happy to pass them on to our vendor.

Leave a Reply