I assume everyone has already seen this, but here you go.<div><br></div><div>Cal<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Henri Salo</b> <span dir="ltr"><<a href="mailto:henri.salo@kapsi.fi">henri.salo@kapsi.fi</a>></span><br>
Date: Fri, Jun 28, 2013 at 8:41 AM<br>Subject: Re: Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability<br>To: Vulnerability Lab <<a href="mailto:research@vulnerability-lab.com">research@vulnerability-lab.com</a>><br>
Cc: <a href="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</a><br><br><br>On Fri, Jun 28, 2013 at 12:47:46AM +0100, Vulnerability Lab wrote:<br>
<snip><br>
<div class="im">> (Copy of the Vendor Homepage: <a href="http://www.barracudanetworks.ca/cudatel.aspx" target="_blank">http://www.barracudanetworks.ca/cudatel.aspx</a> )<br>
<br>
</div>What?<br>
<div class="im"><br>
> Report-Timeline:<br>
> ================<br>
> 2012-11-26: Researcher Notification & Coordination (Chokri Ben Achour)<br>
> 2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)<br>
> 2013-04-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)<br>
> 2013-05-02: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow]<br>
> 2012-06-00: Public Disclosure (Vulnerability Laboratory)<br>
<br>
</div>What?<br>
<div class="im"><br>
> Vulnerable Section(s):<br>
> [+] Find Me<br>
><br>
> Vulnerable Module(s):<br>
> [+] Call Forwarding - Add<br>
><br>
> Vulnerable Parameter(s):<br>
> [+] Calling Sequence - Listing<br>
<br>
</div>What?<br>
<br>
Do you hit some "send advisory" -button in your web page without checking the<br>
details? Why don't you just include PoC?<br>
<br>
---<br>
Henri Salo<br>
</div><br></div>