Server Misconfiguration Discloses Passwords of All Barracuda Network Employees

2013-07-24

Pierluigi Paganini

http://thehackernews.com/2013/07/Barracuda-network-Password-disclosure-vulnerability_24.html

Security expert Ebrahim Hegazy has found a Password disclosure vulnerability in Barracuda update servers which allows to gain access to employee credentials.

The Egyptian information security advisor Ebrahim Hegazy(@Zigoo0) has found a Password disclosure vulnerability in one of Barracuda update servers which allows the attackers to gain access to all its employee data.

When the system administrator needs to protect a directory with a second authentication layer (basic authentication) besides the back-end authentication, he can do it with multiple methods, one of that methods is through the configuration of .htaccess and .htpasswd files. A proper configuration could prevent a visitor to surf reserved area (e.g /Cpanel or /admin), in this scenario a popup proposes to the user asking to enter authentication credentials, that credentials are saved inside .htpasswd file as: Username:Password

In normal scenarios the .htpasswd file should be stored outside the web directory (e.g. C:\AnyName\.htpasswd)

But in Barracuda issue the file was stored inside the admin panel directory and was accessible by anyone with serious repercussion.

If the user directly accesses the following link http://updates.cudasvc.com/admin/.htpasswd ,he will be able to disclose the passwords of all Barracuda Network Employees such as: Support, Sales, UK Branch employees, Update server users, Engineers and more of those who have access to the basic authentication layer!

[...]
main page ATTRITION feedback