Several Barracuda Networks products contain a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the 'cgi-mod/view_help.cgi' not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'locale' parameter. This directory traversal attack would allow the attacker to access arbitrary files. Successful exploitation of these vulnerabilities could lead to full remote administrative access to the vulnerable products. After obtaining administrative access, an attacker may be able to create, modify, or delete user accounts, read stored messages, purge system logs, and access sensitive and/or confidential information.

The vendor has released Security Definition update v2.0.4 that addresses these vulnerabilities. Barracuda
Networks products should automatically download and apply this Security Definition update by default.
Users of affected Barracuda Networks products should verify that Security Definition v2.0.4 has been
successfully applied.

• Exploit Database: 15130
• Secunia Advisory ID: 41609
• Metasploit ID: 68301
• Mail List Post: http://seclists.org/fulldisclosure/2010/Oct/119
  http://seclists.org/fulldisclosure/2010/Oct/93
• Other Advisory URL: http://www.secureworks.com/ctu/advisories/SWRX-2010-002/

• Randy Janinda - SecureWorks
• Sanjeev Sinha - SecureWorks

NVD does not currently have a CVSSv2 score assigned.