[ZendTo] Security Audit Findings
Ryan_Stepalavich at banksi.com
Tue Jun 24 19:43:32 BST 2014
We just got hit with two audit findings for ZendTo, and I was wondering if there was any fix/workaround for these.
#1: ZendTo allows any file of any extension to be dropped off. Is there a way to whitelist a few extensions and reject all others?
#2: ZendTo's error reporting allows attackers to enumerate your organization's userlist. By brute-forcing the "To:" field in a drop-off, the attacker can get the full list of valid users in LDAP.
I can give further details as needed.
Ryan Stepalavich, CSSA
Sr. Network Administrator
Savings Institute Bank & Trust, Co.
Office: (860) 465-8602
Fax: (860) 456-5218
This document and any files transmitted with it are
confidential and intended solely for the use of the individual
or entity to whom they are addressed. If you have received this
document in error please notify the originator of the message.
Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Savings Institute Bank & Trust.
This footer confirms that this e-mail message has been scanned
for the presence of computer viruses by the Savings Institute
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ZendTo