The cyber security Analyst @Qcert Ebrahim Hegazy(@Zigoo0) has found a Password disclosure vulnerability in one of Barracuda update servers which allows the attackers to gain access to all its employee data.
When the system administrator needs to protect a directory with a second authentication layer (basic authentication) besides the back-end authentication, he can do it with multiple methods, one of that methods is through the configuration of .htaccess and .htpasswd files. A proper configuration could prevent a visitor to surf reserved area (e.g /Cpanel or /admin), in this scenario a popup proposes to the user asking to enter authentication credentials, that credentials are saved inside .htpasswd file as:
Username:Password
In normal scenarios the .htpasswd file should be stored outside the web directory (e.g. C:\AnyName\.htpasswd)
But in Barracuda issue the file was stored inside the admin panel directory and was accessible by anyone with serious repercussion.
If the user directly accesses the following link
http://updates.cudasvc.com/admin/.htpasswd
he will be able to disclose the passwords of all Barracuda Network Employees such as:
Support, Sales, UK Branch employees, Update server users, Engineers and more of those who have access to the basic authentication layer!
The Password disclosure vulnerability is exacerbated by the fact that the passwords were saved as a clear text, following the screen shots before the vulnerability got patched
The vulnerability has been reported by Ebrahim Hegazy to Barracuda, that already fixed it, despite it is not eligible for the bounty. Curious that Barracuda considered “Password disclosure vulnerability” out of scope vulnerability, IMHO I consider it a critical flaw. Ebrahim Hegazy (https://twitter.com/Zigoo0) has found and reported the vulnerability to Barracuda as a participant in the Barracuda bug bounty program.
I consider Ebrahim Hegazy a very skilled professional that is doing an excellent job in security field, let’s remind that in the last months he already discovered flaws in DropBox, Avira web site and Yahoo! … What is the next?
What will happen is those smart guys will start to sell the knowledge of vulnerabilities in the underground?
Pierluigi Paganini
(Security Affairs – Password disclosure vulnerability, hacking)
UPDATE 2013-07-27
Barracuda specified following inaccurancies: