Advisory ID: SWRX-2010-002

  • Advisory Information
  • Title: Barracuda Networks Products Multiple Directory Traversal Vulnerabilities 
  • Advisory ID: SWRX-2010-002
  • Date published: Wednesday, September 29, 2010
  • CVSS v2 Base Score: 10 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  • Date of last update: Wednesday, September 29, 2010
  • Vendors contacted: Barracuda Networks
  • Release mode: Coordinated
  • Discovered by: Randy Janinda and corroborated by Sanjeev Sinha, SecureWorks

Summary

Multiple vulnerabilities exist in Barracuda Networks products due to improper validation of user-controlled input. User-controllable input supplied to the embedded web server is not properly sanitized for illegal path delimiting characters prior to being used to access files. A specially crafted HTTP request containing directory traversal sequences could allow remote attackers to conduct traversal attacks. The impact of successful exploitation depends upon the contents of the files that were retrieved.

Download the PDF

PGP Signature (PC Users: You may need to right click your mouse and select "Save As")

SecureWorks CTU Public Key