Document Title: =============== Barracuda Cloud ESS 2.x - Multiple Cross Site Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=742 Barracuda Networks Security ID: BNSEC-671 Release Date: ============= 2018-07-23 Vulnerability Laboratory ID (VL-ID): ==================================== 742 Common Vulnerability Scoring System: ==================================== 3.4 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks. Barracuda Email Security Service also includes email encryption and Data Loss Prevention features. The Barracuda Email Security Service leverages advanced security technologies from the industry-leading Barracuda Spam & Virus Firewall and features rich multiple cloud-based protection: Rate control and Denial of Service (DoS) protection Reputation-based blocking from known spam and malware sources Anti-virus, featuring the patent-pending Barracuda Anti-Virus Supercomputing Grid Anti-phishing, using the Barracuda Anti-Fraud Intelligence Protection against spam, phishing, fraud and emails with other malicious intent Custom sender/recipient policy (Copy of the Vendor Homepage: https://www.barracudanetworks.com/ns/products/bess_overview.php ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple cross site vulnerabilities in the official cloud-based Barracuda Networks Email Security v2.1.2 appliance application service. Vulnerability Disclosure Timeline: ================================== 2017-07-23: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Barracuda Networks Product: EMail Security Service Application Appliance (Cloud-Based) 2.1.2 Barracuda Networks Product: Cloud Control Center 2.1.2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre auth - no privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Bug Bounty Program Technical Details & Description: ================================ Multiple non persistent input validation vulnerabilities has been discovered in the cloud-based Barracuda Email Security v2.1.2 Appliance Application Service. The client-side cross site scripting vulnerability allow remote attackers to inject own malicious script codes to client-sude application to browser requests. 1.1 The first vulnerability is located in the `domain manager module - remove domain` function when processing to request the invalid exception-handling redisplay message (Confirmation required) form context. The application does not encode the displayed message context with the invalid value of the exception-handling. The application executes the script code on the client-side in the main error message body context. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST. 1.2 The second vulnerability is located in the `custom_rbls` parameter of the `bulk_edit` module context. The vulnerability allows to inject own script codes to the client-side through the vulnerable `bulk_edit` form web context. The script code execution takes place in the bulk_edit form next to the custom_rbls parameter input. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST. 1.3 The third vulnerability is located in the `attachment_filters` of the `bulk_edit` form module. The vulnerability allows to inject own script codes to the client-side through the vulnerable `bulk_edit` form web context. The script code execution takes place in the bulk_edit form next to the attachment_filters parameter input. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST. The security risk of the client-side cross site scripting web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the three cross site scripting vulnerabilities does not a privileged application user account but low or medium user interaction. Successful exploitation of the client-side vulnerabilities results in session hijacking (customer/admin), client-side phishing, client-side external redirects to malicious source and client-side manipulated of affected or connected module context. Request Method(s): [+] POST [+] GET [+] GET Vulnerable Module(s): [+] Domains Manager - Domains - Remove Domains Function [+] Inbound Settings - Custom RBLs [+] Message - attachment_filters Vulnerable Parameter(s): [+] remove_domain - ID+ [+] list custom_rbls [+] list attachment_filters Proof of Concept (PoC): ======================= The client side input validation vulnerabilities can be exploited by remote attackers without privileged user account and with low or medium user interaction. For security demonstration or to reproduce the multiple security vulnerabilities follow the provided information and steps below to continue. PoC: Exploitation Barracuda Cloud ESS 2.x - PoC Multiple Cross Site Vulnerabilities 1.1 PoC: Domains Manager - Domains - Remove Domains Function - ID + Script Code - Invalid Exception-Handling - Display Script Code to Bypass Filter Check

Confirmation required

<[NON-PERSISTENT SCRIPT CODE INJECTION/EXECUTION!]"> >"