[ZendTo] Security Audit Findings

Ryan Stepalavich Ryan_Stepalavich at banksi.com
Tue Jun 24 19:43:32 BST 2014

Hi folks,

We just got hit with two audit findings for ZendTo, and I was wondering if there was any fix/workaround for these.

#1: ZendTo allows any file of any extension to be dropped off. Is there a way to whitelist a few extensions and reject all others?

#2: ZendTo's error reporting allows attackers to enumerate your organization's userlist. By brute-forcing the "To:" field in a drop-off, the attacker can get the full list of valid users in LDAP.

I can give further details as needed.

Best regards,

Ryan Stepalavich, CSSA
Sr. Network Administrator
Savings Institute Bank & Trust, Co.
Office: (860) 465-8602
Fax: (860) 456-5218

This document and any files transmitted with it are 
confidential and intended solely for the use of the individual 
or entity to whom they are addressed. If you have received this 
document in error please notify the originator of the message.  
Any views expressed in this message are those of the individual 
sender, except where the sender specifies and with authority, 
states them to be the views of Savings Institute Bank & Trust.
This footer confirms that this e-mail message has been scanned 
for the presence of computer viruses by the Savings Institute 
email gateway.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20140624/2e9345c0/attachment.html 

More information about the ZendTo mailing list