Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities

Title: Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities
Advisory ID: ZSL-2013-5147
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 01.07.2013
Summary
The Barracuda SSL VPN is a powerful plug-and-play appliance purpose-built to provide remote users with secure access to internal network resources.
Description
Barracuda SSL VPN suffers from multiple stored XSS vulnerabilities when parsing user input to several parameters via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.
Vendor
Barracuda Networks, Inc. - https://www.barracuda.com
Affected Version
2.3.3.193, Model: V680
Tested On
Linux 2.4.x, Jetty Web Server
Vendor Status
[05.03.2013] Vulnerabilities discovered.
[16.03.2013] Contact with the vendor.
[17.03.2013] Vendor replies.
[19.03.2013] Working with the vendor.
[28.03.2013] Vendor confirms issues, track BNSEC-1239.
[15.04.2013] Asked vendor for status update.
[17.04.2013] Vendor replies.
[18.04.2013] Confirming that the issues are still present on the demo test sites. (v2.3.3.193)
[07.05.2013] Vendor informs that the version 2.3.3.216 since 13.03.2013 is patched from these issues.
[08.05.2013] Coordinating with the vendor.
[08.06.2013] Vendor confirms that as of firmware version 2.3.3.216 the issues have been resolved.
[01.07.2013] Coordinated public security advisory released.
PoC
barracuda_sslvpn_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://updates.cudasvc.com/cgi-bin/view_release_notes.cgi?type=bvsware&version=2.3.3.216
[2] http://barracudalabs.com/?page_id=3456
[3] http://barracudalabs.com/?page_id=3458
[4] http://www.exploit-db.com/exploits/26527/
[5] http://cxsecurity.com/issue/WLB-2013070014
[6] http://1337day.com/exploit/20959
[7] http://packetstormsecurity.com/files/122245
[8] http://www.osvdb.org/show/osvdb/94727
[9] http://www.osvdb.org/show/osvdb/94728
[10] http://www.osvdb.org/show/osvdb/94729
[11] http://www.osvdb.org/show/osvdb/94730
[12] http://www.osvdb.org/show/osvdb/94731
[13] http://secunia.com/advisories/53982/
[14] http://www.securityfocus.com/bid/60906
[15] http://xforce.iss.net/xforce/xfdb/85419
[16] http://securitytracker.com/id/1028736
[17] http://www.scip.ch/en/?vuldb.9310
[18] http://www.scip.ch/en/?vuldb.9311
[19] http://www.scip.ch/en/?vuldb.9312
[20] http://www.scip.ch/en/?vuldb.9313
[21] http://www.scip.ch/en/?vuldb.9314
[22] http://www.securiteam.com/securitynews/6M0372A8KA.html
[23] http://www.securiteam.com/securitynews/6J037158UM.html
Changelog
[01.07.2013] - Initial release
[02.07.2013] - Added reference [4], [5], [6], [7], [8], [9], [10], [11] and [12]
[03.07.2013] - Added reference [13] and [14]
[07.07.2013] - Added reference [15] and [16]
[19.07.2013] - Added reference [17], [18], [19], [20] and [21]
[31.10.2013] - Added reference [22]
[15.11.2013] - Added reference [23]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk