Microfocus Host Access Management And Security Server 12.2 Directory traversal Vulnerability
16 Jun. 2017
Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 184.108.40.206 and ZFE 2.0.0 before 220.127.116.11 and ZFE 1.4.0 before 18.104.22.168.
* Microfocus Host Access Management And Security Server 12.2
* Microfocus Host Access Management And Security Server 12.3
* Microfocus Reflection For The Web 12.1
* Microfocus Reflection For The Web 12.2
* Microfocus Reflection For The Web 12.3
* Microfocus Reflection Security Gateway 12.1
* Microfocus Reflection Zfe 22.214.171.124
* Microfocus Reflection Zfe 126.96.36.199
* Microfocus Reflection Zfe 188.8.131.52
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Attachmate Host Access Management and Security Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the PassThru resource. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information under the context of the current process.