Vulners
Lucene search
Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery Vulnerability | 4 Sep 201700:00 | – | zdt |
 | Potential for China Cyber Response to Heightened U.S.–China Tensions | 20 Oct 202012:00 | – | ics |
 | CVE-2017-6328 | 9 Aug 201700:00 | – | circl |
 | Symantec Messaging Gateway Cross-Site Request Forgery Vulnerability (CNVD-2017-28445) | 14 Aug 201700:00 | – | cnvd |
 | CVE-2017-6328 | 11 Aug 201720:00 | – | cve |
 | CVE-2017-6328 | 11 Aug 201720:00 | – | cvelist |
 | EUVD-2017-15389 | 7 Oct 202500:30 | – | euvd |
 | Symantec Messaging Gateway 10.6.3-267 - Cross-Site Request Forgery | 9 Aug 201700:00 | – | exploitpack |
 | CVE-2017-6328 | 11 Aug 201720:29 | – | nvd |
 | Symantec Messaging Gateway Multiple Vulnerabilities (Aug 2017) | 14 Aug 201700:00 | – | openvas |
10
# Exploit Title: CSRF
# Date: August 9, 2017
# Software Link: https://www.symantec.com/products/messaging-gateway
# Exploit Author: Dhiraj Mishra
# Contact: http://twitter.com/mishradhiraj_
# Website: http://datarift.blogspot.in/
# CVE: CVE-2017-6328
# Category: Symantec Messaging Gateway
1. Description
The Symantec Messaging Gateway can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser.
2. Proof of concept
The SMG did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://YourIPHere/brightmail/logout.do
Here's an attack vector:
1) Set up a honeypot that detects SMG scans/attacks (somehow).
2) Once I get a probe, fire back a logout request.
3) Continue to logout the active user forever.
It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS.
3. Symantec Security Bulletin
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Aug 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.8
CVSS 38.8
EPSS0.00891