XSS Hole Fixed in Firewall

Tuesday, July 29, 2014 @ 12:07 PM gHale

There is a non-persistent cross-site scripting (XSS) vulnerability in the Barracuda Spam and Virus Firewall web application, allowing an attacker to hijack session information or execute non-persistent code.

The affected product comes as a complete email solution for organizations that want protection against email-borne threats and data leaks.

RELATED STORIES
Drupal Fixes Critical Vulnerabilities
Details on DDoS Linux Trojan
Newer, More Secure Trojan Found
Big Bank Haul in One Week

The current vulnerability, discovered by the research team at Vulnerability Laboratory, affects versions 5.1.3 and earlier of the product. Barracuda Networks is aware of the problem and has already fixed the issue.

In a post, researchers said exploiting the vulnerability “would require an authenticated user to manipulate his own request to deliver a script payload.”

Vulnerability Laboratory first contacted the developer about the security glitch November 19. Barracuda responded the next day and then released a patch July 15, 2014.

As far as the security risk goes, this is low, with a CVSS score of 2.9.

In a proof-of-concept published by Vulnerability Laboratory, an attacker has to authenticate into the interface of the spam and virus firewall, access the Basic tab and copy the payload in the URL. After this, an attacker should see a JavaScript dialog with the session cookies.



Leave a Reply

You must be logged in to post a comment.