Barracuda Networks Products Vulnerabilities

Advisory ID: SWRX-2010-002

Advisory Information
Title: Barracuda Networks Products Multiple Directory Traversal Vulnerabilities
Advisory ID: SWRX-2010-002
Date published: Wednesday, September 29, 2010
CVSS v2 Base Score: 10 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Date of last update: Wednesday, September 29, 2010
Vendors contacted: Barracuda Networks
Release mode: Coordinated
Discovered by: Randy Janinda and corroborated by Sanjeev Sinha, SecureWorks

Summary

Multiple vulnerabilities exist in Barracuda Networks products due to improper validation of user-controlled input. User-controllable input supplied to the embedded web server is not properly sanitized for illegal path delimiting characters prior to being used to access files. A specially crafted HTTP request containing directory traversal sequences could allow remote attackers to conduct traversal attacks. The impact of successful exploitation depends upon the contents of the files that were retrieved.

Download the PDF

PGP Signature (PC Users: You may need to right click your mouse and select "Save As")

SecureWorks CTU Public Key

Tags:
Advisory
Research

ABOUT THE AUTHOR

COUNTER THREAT UNIT RESEARCH TEAM

Secureworks Counter Threat Unit™ (CTU) researchers frequently serve as expert resources for the media, publish technical analyses for the security community, and speak about emerging threats at security conferences. Leveraging Secureworks’ advanced security technologies and a network of industry contacts, the CTU™ research team tracks threat actors and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables CTU researchers to identify threats as they emerge and develop countermeasures that protect customers before damage can occur.

Back to more Threat Analyses and Advisories