CVE-2016-6597 – Sophos Mobile Control 3.5.0.3 Open Reverse Proxy

https://notcve.org/view.php?id=CVE-2016-6597

Sophos EAS Proxy before 6.2.0 for Sophos Mobile Control, when Lotus Traveler is enabled, allows remote attackers to access arbitrary web-resources from the backend mail system via a request for the resource, aka an Open Reverse Proxy vulnerability. Sophos EAS Proxy en versiones anteriores a 6.2.0 para Sophos Mobile Control, cuando Lotus Traveler está habilitada, permite a atacantes remotos acceder a recursos web arbitrarios desde el sistema de correo del backend a través de una petición del recurso, también conocida como una vulnerabilidad Open Reverse Proxy. Sophos EAS Proxy is part of the Enterprise Mobility Management (EMM) platform Sophos Mobile Control, which allows control of mail access for managed mobile devices. Anonymous attackers can access any web-resources of the backend mail system like Microsoft Exchange or IBM Domino, if Lotus Traveler option is enabled. Brute force attacks against users in the backend mail system are also possible. • http://packetstormsecurity.com/files/138210/Sophos-Mobile-Control-3.5.0.3-Open-Reverse-Proxy.html http://www.securityfocus.com/archive/1/539126/100/0/threaded http://www.securityfocus.com/bid/92351 https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability • CWE-254: 7PK - Security Features •