SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Multiple vulnerabilities in BarracudaDrive 3.7.2


Arrow  SecurityAlert : 3434
Arrow  CVE : CVE-2007-6314
Arrow  CVE : CVE-2007-6315
Arrow  CVE : CVE-2007-6316
Arrow  CVE : CVE-2007-6317
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Luigi Auriemma
Arrow  Published : 13.12.2007

Arrow  Affected Software : BarracudaDrive Web Server <= 3.7.2



Arrow  Advisory Content :  

#######################################################################

Luigi Auriemma

Application: BarracudaDrive Web Server
http://barracudaserver.com/products/BarracudaDrive/
http://barracudaserver.com/products/HomeServer/
Versions: <= 3.7.2
Platforms: Windows
Bugs: A] directory traversal
B] scripts source visualization
C] arbitrary files deleting by users
D] NULL pointer crash in chat.ehintf by users
E] html injection in the trace viewer
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Barracuda Drive is a commercial webserver developed by Real Time Logic
and contains many features.

#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

A directory traversal vulnerability is exploitable through the usage of
a backslash or any other char major than 0x7f at the beginning of the
URI.
The directories must be delimited by backslashes (and not slashes) for
exploiting the bug.

-------------------------------
B] scripts source visualization
-------------------------------

All the custom scripts in the server (like the LUA scripts with lsp
extension) can be visualized entirely instead of being executed simply
using a '+', a dot or any other char major than 0x7f after the script's
name.

------------------------------------
C] arbitrary files deleting by users
------------------------------------

BarracudaDrive allows the admin to create users which can then access
their personal folders, chating between them and so on.
The problem here is that these authenticated users can delete files and
empty folders anywhere in the disk on which is located their personal
directory simply using the usual .. pattern.

Note that is also possible to create directories in the disk using the
same trick but this is not a real security problem.

---------------------------------------------
D] NULL pointer crash in chat.ehintf by users
---------------------------------------------

As already said the users can also chat between them using a simple
web interface called Group Chat.
In this case it's enough to avoid the passing of the Connection ID of
the user in the URI for crashing the entire server due to a NULL
pointer.

-------------------------------------
E] html injection in the trace viewer
-------------------------------------

BarracudaDrive logs any bad or wrong HTTP request received by the
clients and the Trace page in the admin interface can be used to
visualize these log files.
The problem is that they are visualized as HTML and there are no checks
or limitations on their content so a remote attacker can use this bug
for injecting scripts in these files, for example for retrieving the
cookie of the admin and gaining access to the server configuration.

#######################################################################

===========
3) The Code
===========

A]
http://SERVER/......boot.ini
http://SERVER/%80......boot.ini
http://SERVER/%ff..bdlicense.dat

B]
http://SERVER/lua.lsp+
http://SERVER/lua.lsp.
http://SERVER/lua.lsp%80

C]
POST /drive/c/bdusers/USER/?cmd=rm HTTP/1.1
Host: SERVER
Cookie: "use the real user's cookie!"
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

dir=......file.txt

D]
POST /eh/chat.ehintf/C. HTTP/1.1
Host: SERVER
Content-Type: text/plain
Content-Length: 0
Cookie: "use the real user's cookie!"

E]
GET <script>alert('hello');</script> HTTP/1.0

#######################################################################

======
4) Fix
======

Version 3.8

#######################################################################

---
Luigi Auriemma
http://aluigi.org






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.