=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN618
_____________________________________________________________________

DATE                      : 24/12/2008

HARDWARE PLATFORM(S)      : Barracuda Message Archiver, Barracuda Spam Firewall,
                            Barracuda Web Filter, Barracuda IM Firewall,
                            Barracuda Load Balancer.
OPERATING SYSTEM(S)       : Barracuda Message Archiver firmware,
                            Barracuda Spam Firewall firmware,
                            Barracuda Web Filter firmware, Barracuda IM Firewall
                            firmware, Barracuda Load Balancer firmware.

======================================================================
http://www.barracudanetworks.com/ns/support/tech_alert.php
______________________________________________________________________

Resolved input field validation and HTML encoding issues in select
Barracuda Networks products

Date: 	2008-12-15

Affected Products: 	
Barracuda Message Archiver Release 1.1.0.010
(2008-02-15) and earlier
Barracuda Spam Firewall Release 3.5.11.020 (2008-02-26) and earlier
Barracuda Web Filter Release 3.3.0.038 (2008-02-19) and earlier
Barracuda IM Firewall Release 3.0.01.008 (2008-02-05) and earlier
Barracuda Load Balancer Release 2.2.006 (2008-09-05) and earlier
Revision: 	A1.0
References: 	marian.ventuneac@ul.ie
Risk Rating: 	Low

Recently, security researcher Dr. Marian Ventuneac of Data Communication
Security Laboratory, Department of Electronic and Computer Engineering at
University of Limerick, discovered and worked with Barracuda Networks to
resolve input field validation and HTML encoding issues in select
Barracuda Networks products that resulted in cross-site scripting
vulnerabilities in specific screens and fields.

Reproducing all of these issues required that administrators log in
to the appliance.

Barracuda Networks resolved all of the issues identified by Dr.
Ventuneac by making generally available firmware releases for
the following products:

    Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
    Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
    Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
    Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
    Barracuda Load Balancer Release 2.3.024 (2008-10-20)

The CERT CVE number for these reported issues is CVE-2008-0971.

For maximum protection, Barracuda Networks recommends that all
customers upgrade to the latest generally available release of
the firmware.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================