Symantec Messaging Gateway CVE-2017-15532 Directory Traversal Vulnerability

Symantec Messaging Gateway is prone to a directory-traversal vulnerability.

An attacker can exploit this issue using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and perform other attacks.
Versions prior to Symantec Messaging Gateway Appliance 10.6.4 are vulnerable.

Information

Bugtraq ID: 102096
Class: Input Validation Error
CVE: CVE-2017-15532

Remote: Yes
Local: No
Published: Dec 20 2017 12:00AM
Updated: Dec 20 2017 12:00AM
Credit: rgod working with Trend Micro's Zero Day Initiative.
Vulnerable: Symantec Messaging Gateway 10.6.3
Symantec Messaging Gateway 10.5.2
Symantec Messaging Gateway 10.5.1
Symantec Messaging Gateway 10.5
Symantec Messaging Gateway 10.0.1
Symantec Messaging Gateway 9.5.4
Symantec Messaging Gateway 9.5.3
Symantec Messaging Gateway 9.5.3-3
Symantec Messaging Gateway 9.5.2
Symantec Messaging Gateway 9.5.1
Symantec Messaging Gateway 9.5
Symantec Messaging Gateway 10.6.2
Symantec Messaging Gateway 10.6.1-3
Symantec Messaging Gateway 10.6.1
Symantec Messaging Gateway 10.6.0-7
Symantec Messaging Gateway 10.6.0-3
Symantec Messaging Gateway 10.6
Symantec Messaging Gateway 10.1
Symantec Messaging Gateway 10.0.3
Symantec Messaging Gateway 10.0.2
Symantec Messaging Gateway 10.0

Not Vulnerable: Symantec Messaging Gateway 10.6.4

Exploit

An attacker can use readily available tools to exploit this issue.

References:

• Messaging Gateway Homepage (Symantec)
  
• Symantec Homepage (Symantec)
  
• SYM17-016: Security Advisories Relating to Symantec Products - Symantec Messagi (Symantec)
  

Source: www.securityfocus.com