Barracuda Products Path Traversal Vulnerability in View Help CGI Endpoint

A path traversal vulnerability has been identified in multiple Barracuda products, including the Barracuda Spam & Virus Firewall, SSL VPN, and Web Application Firewall, all versions prior to October 2010. The vulnerability exists in the view_help.cgi endpoint, where the locale parameter is not properly sanitized, allowing unauthenticated remote attackers to inject traversal sequences and null-byte terminators. This exploitation can lead to unauthorized access to sensitive configuration files on the underlying system, such as /mail/snapshot/config.snapshot, potentially exposing credentials and critical internal data.

Impact

Exploitation of this vulnerability allows for unauthorized retrieval of sensitive configuration files from the affected system, which may include administrative passwords, LDAP passwords, mailbox passwords, and internal networking information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/cgi-mod/view_help.cgi' endpoint with a crafted 'locale' parameter that includes directory traversal sequences and a null-byte terminator. The default payload will attempt to access the '/mail/snapshot/config.snapshot' file, but this can be modified to target other files as well.