Re: Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability

[Henri Salo <henri.salo () kapsi fi>]

On Fri, Jun 28, 2013 at 12:47:46AM +0100, Vulnerability Lab wrote:
<snip>
> (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )

What?

> Report-Timeline:
> ================
> 2012-11-26:   Researcher Notification & Coordination (Chokri Ben Achour)
> 2012-11-27:   Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
> 2013-04-03:   Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
> 2013-05-02:   Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow]
> 2012-06-00:   Public Disclosure (Vulnerability Laboratory)

What?

> Vulnerable Section(s):
>                               [+] Find Me
>
> Vulnerable Module(s):
>                               [+] Call Forwarding - Add
>
> Vulnerable Parameter(s):
>                               [+] Calling Sequence - Listing

What?

Do you hit some "send advisory" -button in your web page without checking the
details? Why don't you just include PoC?

---
Henri Salo

Attachment: signature.asc
Description: Digital signature