Vulnerability-Lab researchers discovered a new serious vulnerability in the Barracuda appliances, that could affect a number of companies which rely on Barracuda products.
The input filter blocks persistent input attacks with a restriction/filter exception for double quotes, <>,frames, scripts & statements. The vulnerability allows to bypass the existing input validation filter & exception handling.
“The bug is located when processing to save the URL path name (DB stored) with attached file. The vulnerability allows the bypassing of the path URL name parse restriction which leads to the execution on a second vulnerable bound module which displays the input as output listing,” the advisory reads.
The Account MyResource Display (example listing + input) & Upload File modules are executing the earlier saved `save` path of url-path/folder which leads to the bypass of the input validation filter & exception-handling. The result is the persistent execution of malicious script codes out of the security appliance application context.
“The URL path function saves the context of the input path name (parsed) as client side request via URL. If the request is getting bound with the file, which is getting stored (persistent) and displayed later on the overview listings, the code is getting executed unauthorized out of the security application context (persistent|server-side),” the experts explain.
The researchers say that the flaw can be fixed by parsing the second input request of the “file upload” function and the path URL request.
To demonstrate their findings, the experts have published a proof-of-concept video :
Barracuda Networks has been notified of the issues sometime in May, but so far it’s uncertain when a patch will be made available.
The input filter blocks persistent input attacks with a restriction/filter exception for double quotes, <>,frames, scripts & statements. The vulnerability allows to bypass the existing input validation filter & exception handling.
“The bug is located when processing to save the URL path name (DB stored) with attached file. The vulnerability allows the bypassing of the path URL name parse restriction which leads to the execution on a second vulnerable bound module which displays the input as output listing,” the advisory reads.
The Account MyResource Display (example listing + input) & Upload File modules are executing the earlier saved `save` path of url-path/folder which leads to the bypass of the input validation filter & exception-handling. The result is the persistent execution of malicious script codes out of the security appliance application context.
“The URL path function saves the context of the input path name (parsed) as client side request via URL. If the request is getting bound with the file, which is getting stored (persistent) and displayed later on the overview listings, the code is getting executed unauthorized out of the security application context (persistent|server-side),” the experts explain.
The researchers say that the flaw can be fixed by parsing the second input request of the “file upload” function and the path URL request.
To demonstrate their findings, the experts have published a proof-of-concept video :
Barracuda Networks has been notified of the issues sometime in May, but so far it’s uncertain when a patch will be made available.
