|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
Subject: Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability
From: Ussr Labs (labs
USSRBACK.COM)
Date: Mon Nov 29 1999 - 10:06:29 CST
- Next message: Martin Kay: "Re: NT System Policy for Win95 Not downloaded when adding a space aft er domain name"
- Previous message: Russ: "Administrivia #30725 - Out of Office Agents"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Symantec Mail-Gear 1.0 Web interface Server Directory Traversal
Vulnerability
PROBLEM
UssrLabs found a Symantec Mail-Gear 1.0 Web interface Server Directory
Traversal Vulnerability
Using the string '../' in a URL, an attacker can gain read access to
any file outside of the intended web-published filesystem directory
There is not much to expand on this one....
Example:
http://ServerIp:8003/Display?what=../../../../../autoexec.bat to show
autoexec.bat
Vendor Status:
Contacted
Vendor Url: http://www.symantec.com/urlabs/public/index.html
Program Url: http://www.symantec.com/urlabs/public/download/download.html
Credit: USSRLABS
SOLUTION
Upgrade to Symantec Mail-Gear 1.1
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
http://www.ussrback.com
- Next message: Martin Kay: "Re: NT System Policy for Win95 Not downloaded when adding a space aft er domain name"
- Previous message: Russ: "Administrivia #30725 - Out of Office Agents"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Dec 06 1999 - 20:47:44 CST