=========================================================================

Arcus Security Advisory

=========================================================================

Product:  Web Application Firewall
Vendor:   Barracuda Networks Inc. [1]
CVE ID:   2014-4122
Subject:  SQL Injection [2]
Risk:     High
Author:   Stefan Horlacher, Arcus Security GmbH
Date:     2016-01-02

=========================================================================

Description:
------------
One of Barracuda Networks Inc products is their Web Application Firewall.
The product suffers from multiple SQL injection vulnerabilities, all 
related to the seqid parameter.

Vulnerable:
-----------
BNWF before 7.9.1.005.

Workaround / Fix:
-----------------
Update to BNWF 7.9.1.005 or newer.

Timeline:
---------
2014-09-12: Vendor notification
2014-11.07: Issue confirmed (Bug Bounty Notification)
2016-01-24: Advisory released

References:
-----------
[1] https://www.barracuda.com
[2] https://www.owasp.org/index.php/SQL_Injection

=========================================================================

Arcus Security GmbH

Sihlquai 253
Postfach
8031 Zurich

Tel.: +41 (0)44 271 44 00
Mail: info at arcus-security dot ch
www.arcus-security.ch

=========================================================================