Server Misconfiguration Discloses Passwords of All Barracuda Network Employees


Pierluigi Paganini

Security expert Ebrahim Hegazy has found a Password disclosure vulnerability in Barracuda update servers which allows to gain access to employee credentials.

The Egyptian information security advisor Ebrahim Hegazy(@Zigoo0) has found a Password disclosure vulnerability in one of Barracuda update servers which allows the attackers to gain access to all its employee data.

When the system administrator needs to protect a directory with a second authentication layer (basic authentication) besides the back-end authentication, he can do it with multiple methods, one of that methods is through the configuration of .htaccess and .htpasswd files. A proper configuration could prevent a visitor to surf reserved area (e.g /Cpanel or /admin), in this scenario a popup proposes to the user asking to enter authentication credentials, that credentials are saved inside .htpasswd file as: Username:Password

In normal scenarios the .htpasswd file should be stored outside the web directory (e.g. C:\AnyName\.htpasswd)

But in Barracuda issue the file was stored inside the admin panel directory and was accessible by anyone with serious repercussion.

If the user directly accesses the following link ,he will be able to disclose the passwords of all Barracuda Network Employees such as: Support, Sales, UK Branch employees, Update server users, Engineers and more of those who have access to the basic authentication layer!

main page ATTRITION feedback