Barracuda Spam Firewall cgi-bin/ldap_test.cgi email Parameter XSS

medium Nessus Plugin ID 32434

Synopsis

The remote web server contains a CGI script that is affected by a cross-site scripting vulnerability.

Description

According to its firmware version, the remote Barracuda Spam Firewall device fails to filter input to the 'email' parameter of the '/cgi-bin/ldap_test.cgi' script before using it to generate dynamic content. An unauthenticated, remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported firmware version.

Solution

Either configure the device to limit access to the web management application by IP address or update to firmware release 3.5.11.025 or later.

See Also

https://seclists.org/fulldisclosure/2008/May/564

https://www.barracuda.com/support/techalerts

Plugin Details

Severity: Medium

ID: 32434

File Name: barracuda_ldap_test_xss.nasl

Version: 1.18

Type: remote

Published: 5/23/2008

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/h:barracuda_networks:barracuda_spam_firewall

Required KB Items: www/barracuda_spamfw

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2008-2333

BID: 29340

CWE: 79

Secunia: 30362