Barracuda Networks Bug Bounty #38 Message Archiver - Multiple Vulnerabilities
Barracuda Networks Security ID (BNSEC): BNSEC-1530
Vulnerability Laboratory ID (VL-ID):
Common Vulnerability Scoring System:
Product & Service Introduction:
Barracuda Networks, Inc. offers industry-leading solutions designed to solve mainstream IT problems – efficiently and
cost effectively – while maintaining a level of customer support and satisfaction second to none. Their products span
three distinct markets, including:
1. Content security,
2. Networking and application delivery,
3. Data storage, protection and disaster recovery.
While Barracuda Networks maintain a strong heritage in email and web security appliances, their award-winning portfolio
includes more than a dozen purpose-built solutions that support literally every aspect of the network – providing organizations
of all sizes with true end-to-end protection that can be deployed in hardware, virtual, cloud and mixed form factors.
CitiBank, Coca-Cola, Delta Dental, FedEx, Harvard University, IBM, L`Oreal, Liberty Tax Service, Mythbusters and Spokane Public
Schools are amongst the more than 150,000 organizations worldwide confidently protecting their users, applications and data with
Barracuda Networks’ solutions. The company is privately held with its international headquarters and manufacturing facility based
in Campbell, California. Barracuda Networks has offices in eight international locations and distributors in more than 80 countries.
The Barracuda Message Archiver is a complete and affordable email archiving solution, enabling you to effectively index and preserve
all emails, enhance operational efficiencies and enforce policies for regulatory compliance. By leveraging standard policies and seamless
access to messages, email content is fully indexed and backed up to enable administrators, auditors and end users quick retrieval of any
email message stored in an organization’s email archive.
- Comprehensive archiving
- Exchange stubbing
- Search and retrieval
- Policy management
- Intelligent Storage Manager
- Roles-based interface
- Reporting and statistics
The Barracuda Message Archiver features an easy-to-use Web user interface, creating an intuitive and cost-effective administration tool
for the integrated hardware and software solution. The Web user interface allows administrators to define, manage and control corporate
archiving settings and rules from one central location.
(Copy of the Vendor Homepage: http://www.barraguard.com/650.asp )
Abstract Advisory Information:
The vulnerability Laboratory Research Team has discovered multiple web validation vulnerabilities in the barracuda Message Archiver v650 Product.
Vulnerability Disclosure Timeline:
2016-01-08: Public Disclosure (Vulnerability Laboratory)
Product: Message Archiver 650 - Appliance Application 188.8.131.524
Technical Details & Description:
Multiple client side cross site web vulnerabilities has been discovered in the official Barracuda Networks Message Archiver 650 Appliance Web-Application.
The non-persistent cross site scripting web vulnerability allows remote attackers to manipulate client-side web-application to browser requests.
The payload can be injected in multiple parameters of the affected file in order to successfully exploit this web vulnerability.
The vulnerability affects the `view_message_log_detail.cgi` file and the code execution happens when the application renders an error
handling exception or handles an event. During the testing, the value of the vulnerable request parameters was copied into the value
of an HTML tag attribute which was an event handler and or exception handler and was encapsulated in double quotation marks. The payload
ea120`">9335e4791a6 was submitted in all affected parameters. This input was echoed unmodified in the application`s
response proving the existence of this vulnerability. These sort of vulnerabilities can result in multiple attack vectors on the client end
which may eventually result in complete compromise of the end user system.
Exploitation of this client side cross site scripting web vulnerability requires only low user interaction. Successful exploitation of
the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, phishing,
client-side redirects and similar client-side web attacks.
[+] /cgi-mod/view_message_log_detail.cgi [et parameter]
[+] /cgi-mod/view_message_log_detail.cgi [locale parameter]
[+] /cgi-mod/view_message_log_detail.cgi [password parameter]
[+] /cgi-mod/view_message_log_detail.cgi [primary_tab parameter]
[+] /cgi-mod/view_message_log_detail.cgi [realm parameter]
[+] /cgi-mod/view_message_log_detail.cgi [secondary_tab parameter]
Proof of Concept (PoC):
The client-side cross site scripting web vulnerability can be exploited by remote attackers with low or medium required user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
POC URL #1: (XSS in error exception handling)
POC URL #2: (XSS in event handler)
POC URL #3: (document cookie)
Source Code (Exception Handling)