Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability PROBLEM UssrLabs found a Symantec Mail-Gear 1.0 Web interface Server Directory Traversal Vulnerability Using the string '../' in a URL, an attacker can gain read access to any file outside of the intended web-published filesystem directory There is not much to expand on this one.... Example: http://ServerIp:8003/Display?what=../../../../../autoexec.bat to show autoexec.bat Vendor Status: Contacted Vendor Url: http://www.symantec.com/urlabs/public/index.html Program Url: http://www.symantec.com/urlabs/public/download/download.html Credit: USSRLABS SOLUTION Upgrade to Symantec Mail-Gear 1.1 u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com
