[ZendTo] Re: Security Audit Findings
Jules at Zend.To
Thu Jun 26 11:09:40 BST 2014
On 24/06/2014 19:43, Ryan Stepalavich wrote:
> Hi folks,
> We just got hit with two audit findings for ZendTo, and I was
> wondering if there was any fix/workaround for these.
> #1: ZendTo allows any file of any extension to be dropped off. Is
> there a way to whitelist a few extensions and reject all others?
I learnt right back near the start of developing MailScanner that basing
security on filename extensions is a complete red herring and a total
waste of time. If you do any check at all, it *has* to be based on file
*content*, not file *name*. I intentionally did not build this sort of a
system into ZendTo as I wanted it to be a solution for all those sites
using MailScanner (or any other mail security gateway product) where you
have a need to get files in and out that your mail system will not
allow. If you restrict filename extension, everyone (including the bad
guys) just changes the extension or adds a "safe" one with a simple note
to the user to rename the file once they've got it. It provides no
security whatsoever, it is a "tick box" and nothing more.
> #2: ZendTo's error reporting allows attackers to enumerate your
> organization's userlist. By brute-forcing the "To:" field in a
> drop-off, the attacker can get the full list of valid users in LDAP.
Can you explain in more detail please? ZendTo does not verify the
contents of the "To:" field (other than the domain name in external
dropoffs). It's far easier and faster to enumerate all valid users by
brute-forcing SMTP "RCPT" commands. They usually give you an instant
valid/invalid response for each attempt, and don't require you to
attempt to send any message to anyone. Again, no added security
whatsoever, it's another tick box.
> I can give further details as needed.
> Best regards,
> Ryan Stepalavich, CSSA
> Sr. Network Administrator
> Savings Institute Bank & Trust, Co.
> Office: (860) 465-8602
> Fax: (860) 456-5218
> This document and any files transmitted with it are
> confidential and intended solely for the use of the individual
> or entity to whom they are addressed. If you have received this
> document in error please notify the originator of the message.
> Any views expressed in this message are those of the individual
> sender, except where the sender specifies and with authority,
> states them to be the views of Savings Institute Bank & Trust.
> This footer confirms that this e-mail message has been scanned
> for the presence of computer viruses by the Savings Institute
> email gateway.
> ZendTo mailing list
> ZendTo at zend.to
> Julian Field MEng MBCS CITP CEng
> 'It's very unlikely indeed he will ever recover consciousness, and
> if he does it won't be the Julian you knew.'
> - A hospital consultant I proved very wrong in 2007 :-)
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ZendTo