I assume everyone has already seen this, but here you go.<div><br></div><div>Cal<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Henri Salo</b> <span dir="ltr">&lt;<a href="mailto:henri.salo@kapsi.fi">henri.salo@kapsi.fi</a>&gt;</span><br>
Date: Fri, Jun 28, 2013 at 8:41 AM<br>Subject: Re: Barracuda CudaTel 2.6.02.04 - Persistent Web Vulnerability<br>To: Vulnerability Lab &lt;<a href="mailto:research@vulnerability-lab.com">research@vulnerability-lab.com</a>&gt;<br>
Cc: <a href="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</a><br><br><br>On Fri, Jun 28, 2013 at 12:47:46AM +0100, Vulnerability Lab wrote:<br>
&lt;snip&gt;<br>
<div class="im">&gt; (Copy of the Vendor Homepage: <a href="http://www.barracudanetworks.ca/cudatel.aspx" target="_blank">http://www.barracudanetworks.ca/cudatel.aspx</a> )<br>
<br>
</div>What?<br>
<div class="im"><br>
&gt; Report-Timeline:<br>
&gt; ================<br>
&gt; 2012-11-26:   Researcher Notification &amp; Coordination (Chokri Ben Achour)<br>
&gt; 2012-11-27:   Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)<br>
&gt; 2013-04-03:   Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)<br>
&gt; 2013-05-02:   Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow]<br>
&gt; 2012-06-00:   Public Disclosure (Vulnerability Laboratory)<br>
<br>
</div>What?<br>
<div class="im"><br>
&gt; Vulnerable Section(s):<br>
&gt;                               [+] Find Me<br>
&gt;<br>
&gt; Vulnerable Module(s):<br>
&gt;                               [+] Call Forwarding - Add<br>
&gt;<br>
&gt; Vulnerable Parameter(s):<br>
&gt;                               [+] Calling Sequence - Listing<br>
<br>
</div>What?<br>
<br>
Do you hit some &quot;send advisory&quot; -button in your web page without checking the<br>
details? Why don&#39;t you just include PoC?<br>
<br>
---<br>
Henri Salo<br>
</div><br></div>