Internet security vendor Symantec has shipped patches to cover a pair of vulnerabilities in its enterprise-facing BrightMail AntiSpam product.
Cupertino, Calif.-based Symantec warned in an advisory that the bugs could lead to data manipulation, denial-of-service attacks or the exposure of sensitive information.
Affected products include Symantec BrightMail AntiSpam 4.x through 6.x. The company recommends that customers immediately update to version 6.0.4 or upgrade to Symantec Mail Security for SMTP 5.0.
Security alerts aggregator Secunia rates the issue as “moderately critical.”
Symantec said the vulnerability is caused because the anti-spam software fails to fully sanitize file names passed to the DATABLOB-GET / DATABLOB-SAVE requests of directory traversal sequences.
“This directory traversal vulnerability could result in confidential system information being exposed,” the company said.
The second flaw applies to the BrightMail AntiSpam Control Center that controls e-mail scanners.
During the installation of the e-mail scanner, if the user chooses an option to allow the Control Center to connect from any computer, it opens the door for a remote attacker to impersonate the Control Center.
Symantec said the attacker could send invalid posts to the anti-spam service, causing a denial-of-service condition.
The company also warned that the two flaws can be combined to expose some system files or allow files to be overwritten.