COMMAND

    Mail-Gear

SYSTEMS AFFECTED

    Symantec Mail-Gear 1.0

PROBLEM

    UssrLabs  found  a  Symantec  Mail-Gear  1.0  Web interface Server
    Directory Traversal Vulnerability Using the string '../' in a URL,
    an  attacker  can  gain  read  access  to  any file outside of the
    intended web-published  filesystem directory.   There is  not much
    to expand on this one....  Example:

        http://ServerIp:8003/Display?what=../../../../../autoexec.bat

    to show autoexec.bat

SOLUTION

    Upgrade to Symantec Mail-Gear 1.1