From: Jericho To: support@barracudanetworks.com Cc: netsupport@xxxxx.net Date: Fri, 01 Jul 2005 03:37:18 -0600 Subject: Barracuda Spam Firewall Cross Site Scripting (XSS) Vulnerabilities Hello, My ISP uses the Barracuda Networks Spam Firewall, Firmware v3.1.17 (2005-08-06 11:48:38). When editing my e-mail account preferences, I noticed that a few fields were prone to cross site scripting (XSS) attacks. The URL: http://[my isp]:8000/cgi-bin/index.cgi Pages - Fields: Whitelist/Blacklist - Email Address field add_user_scana_sender_allow and add_user_scana_sender_block form fields Quarantine Settings - Notification Address UPDATE_user_quarantine_email_address field Put the following text into the field, and it will render the script: A second issue I noticed, my e-mail account password is stored as an encoded value in a hidden field. The password (encoded) is also used in various HREFs, causing it to be visible in the browser. This means it is transmitted without the protection of SSL encryption, a known secure standard. Brian Barracuda Networks Barracuda Spam Firewall Firmware v3.1.17 (2005-08-06 11:48:38) Subject: xxxxx Ticket-No.378972 Date: Fri, 01 Jul 2005 09:14:03 -0600 From: netsupport@xxxxx.net To: jericho@xxxxx.net [===> Please enter your reply below this line <===] [===> Please enter your reply above this line <===] Your Ticket: 378972 Description: Barracuda Email Concerns/Questions This action has been taken: Note added: xxxxx These notes are included: Hi Brian - I've reviewed the email you sent to Barracuda, and would like to point out a few things. First, the barracuda interface does not use cookies to store any data, so the effects of the XSS vulnerability you described are minimized. Second, the password field is hashed against another token that seems to be very specific to your current session. The URL can not be reused from another location, so even if you were using the interface off our network and someone was able to sniff the URL, they would not be able to use those tokens to gain access to your quarantine interface. The only "portable" URL tokens are in the quarantine reports that are sent to you. If using these links causes you concern, you can generate a password to log into the interface which will not involve any such "portable" login tokens. Finally, if you do set up a password, you can login at https://barracuda.xxxxx.net which uses a self-signed certificate. This still uses the authentication tokens in the! URL, but as noted, they are not reusable from another location. Please let me know if you have any other questions or concerns, and I will be happy to pass them on to our vendor.