Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Barracuda Spam Firewall < 3.5.12.007 Multiple Vulnerabilities (SQLi, XSS)

High

Synopsis

The remote web server contains CGI scripts that are affected by several issues.

Description

The remote Barracuda Spam Firewall device is using a firmware version earlier than 3.5.12.007. Such versions reportedly are affected by several issues :

- There is a SQL injection vulnerability involving the 'pattern_x' parameter (where x=0...n) of the 'cgi-bin/index.cgi' script when 'filter_x' is set to 'search_count_equals'. Successful exploitation requires credentials. (CVE-2008-1094)

- There are multiple cross-site scripting vulnerabilities due to a failure to sanitize user input when displaying error messages and involving multiple hidden input elements. (CVE-2008-0971)

Solution

Update to firmware version 3.5.12.007 or higher.