[Freeswitch-users] Fwd: Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability

[Cal Leeming [Simplicity Media Ltd]]

I assume everyone has already seen this, but here you go.

Cal

---------- Forwarded message ----------
From: Henri Salo <henri.salo at kapsi.fi>
Date: Fri, Jun 28, 2013 at 8:41 AM
Subject: Re: Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability
To: Vulnerability Lab <research at vulnerability-lab.com>
Cc: bugtraq at securityfocus.com


On Fri, Jun 28, 2013 at 12:47:46AM +0100, Vulnerability Lab wrote:
<snip>
> (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx)

What?

> Report-Timeline:
> ================
> 2012-11-26:   Researcher Notification & Coordination (Chokri Ben Achour)
> 2012-11-27:   Vendor Notification (Barracuda Networks Security Team - Bug
Bounty Program)
> 2013-04-03:   Vendor Response/Feedback (Barracuda Networks Security Team
- Bug Bounty Program)
> 2013-05-02:   Vendor Fix/Patch (Barracuda Networks Developer Team)
[Coordination: Dave Farrow]
> 2012-06-00:   Public Disclosure (Vulnerability Laboratory)

What?

> Vulnerable Section(s):
>                               [+] Find Me
>
> Vulnerable Module(s):
>                               [+] Call Forwarding - Add
>
> Vulnerable Parameter(s):
>                               [+] Calling Sequence - Listing

What?

Do you hit some "send advisory" -button in your web page without checking
the
details? Why don't you just include PoC?

---
Henri Salo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130628/ff7df3f2/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130628/ff7df3f2/attachment.bin