Back to list
[ISR] - Barracuda Spam Firewall. Cross-Site Scripting
Sep 21 2007 01:12PM
ISR-noreply (noreply infobyte com ar)
-----BEGIN PGP SIGNED MESSAGE-----
|| || Infobyte Security Research
Barracuda Spam Firewall Cross-Site Scripting
Version: Barracuda Spam Firewall firmware v18.104.22.168
It is suspected that all previous versions of Barracuda Spam Firewall are
The Barracuda Spam Firewall is an integrated hardware and software solution
designed to protect your email server
from spam, virus, spoofing, phishing and spyware attacks.
More info: http://www.barracudanetworks.com
The Web Administration Console is vulnerable to a Pre-Auth Cross-Site
Scripting due to a failure of the application to properly
sanitize user-supplied input prior to including it in dynamically generated
web document when logging in with a username that
screen is open.
- - ---------
an autheticated user has the "Monitor Web Syslog" open.
This can lead to credentials stealing.
.:: VENDOR RESPONSE
Upgrade to Firmware 3.5.10.016
.:: DISCLOSURE TIMELINE
08/24/2007 Initial vendor notification
08/27/2007 Initial vendor response
09/06/2007 Fix released by vendor
09/21/2007 Coordinated public disclosure
Federico Kirschbaum is credited with discovering this vulnerability.
.:: LEGAL NOTICES
Copyright (c) 2007 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
requires permission from infobyte com ar
The information in the advisory is believed to be accurate at the time of
based on currently available information. Use of the information
for use in an AS IS condition. There are no warranties with regard to this
Neither the author nor the publisher accepts any liability for any direct,
consequential loss or damage arising from use of, or reliance on, this
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus