Barracuda Networks products - Multiple Cross-Site Scripting Vulnerabilities
(CVE Number: CVE-2008-0971)

Vulnerability: Multiple Cross-Site Scripting (Persistent & Reflected)
Risk: Medium
Attack Vector: From Remote
Vulnerability Discovered:    16 June 2008
Vendor Notified: 16 June 2008
Advisory Released: 15 December 2008

Abstract

Barracuda Networks Message Archiver product is vulnerable to persistent and reflected Cross-Site Scripting (XSS) attacks. 
Barracuda Spam Firewall, IM Firewall and Web Filter products are vulnerable to multiple reflected XSS attacks. 
When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, 
access to Intranet available servers, etc.

Description

The index.cgi resource was identified as being susceptible to multiple persistent and reflected Cross Site Scripting (XSS) 
attacks. 
  1. Persistent XSS in Barracuda Message Archiver
    In Search Based Retention Policy, the Policy Name field allows persistent XSS when set to something like 
    policy_name" onblur="alert('xss')
  2. Reflected XSS in Barracuda Message Archiver
    Setting various parameters in IP Configuration, Administration, Journal Accounts, Retention Policy, and GroupWise Sync allow 
    reflected XSS attacks.
  3. Reflected XSS in Barracuda Spam Firewall, IM Firewall and Web Filter

Barracuda Networks Technical Alert Article:

http://www.barracudanetworks.com/ns/support/tech_alert.php

Affected Versions

Barracuda Message Archiver (Firmware v1.1.0.010, Model 350)
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Barracuda Web Filter (Firmware v3.3.0.038, Model 910)
Barracuda IM Firewall (Firmware v3.0.01.008, Model 420)

Other models/firmware versions might be affected.

Mitigation

Vendor recommends upgrading to the following firmware version:

Barracuda IM Firewall (Firmware v3.1.01.017)
Barracuda Message Archiver (Firmware v1.2.1.002)
Barracuda Spam Firewall (Firmware v3.5.12.001)
Barracuda Web Filter (Firmware v3.3.0.052)
Barracuda Load Balancer (Firmware v2.3.024)

Alternatively, please contact Barracuda Networks for technical support.

Credits

Dr. Marian Ventuneac, Data Communications Security Laboratory, Department of Electronic & Computer Engineering, University of Limerick

Disclaimer

Data Communications Security Laboratory releases this information with the vendor acceptance. DCSL is not responsible for any malicious application of the information presented in this advisory.