icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Barracuda Spam Firewall < 3.5.12.007 Multiple Vulnerabilities (SQLi, XSS)

High

Synopsis

The remote web server contains CGI scripts that are affected by several issues.

Description

The remote Barracuda Spam Firewall device is using a firmware version earlier than 3.5.12.007. Such versions reportedly are affected by several issues :

- There is a SQL injection vulnerability involving the 'pattern_x' parameter (where x=0...n) of the 'cgi-bin/index.cgi' script when 'filter_x' is set to 'search_count_equals'. Successful exploitation requires credentials. (CVE-2008-1094)

- There are multiple cross-site scripting vulnerabilities due to a failure to sanitize user input when displaying error messages and involving multiple hidden input elements. (CVE-2008-0971)

Solution

Update to firmware version 3.5.12.007 or higher.