[ZendTo] Re: Security Audit Findings

Jules Jules at Zend.To
Thu Jun 26 11:09:40 BST 2014


On 24/06/2014 19:43, Ryan Stepalavich wrote:
>
> Hi folks,
>
> We just got hit with two audit findings for ZendTo, and I was 
> wondering if there was any fix/workaround for these.
>
Interesting.
>
> #1: ZendTo allows any file of any extension to be dropped off. Is 
> there a way to whitelist a few extensions and reject all others?
>
I learnt right back near the start of developing MailScanner that basing 
security on filename extensions is a complete red herring and a total 
waste of time. If you do any check at all, it *has* to be based on file 
*content*, not file *name*. I intentionally did not build this sort of a 
system into ZendTo as I wanted it to be a solution for all those sites 
using MailScanner (or any other mail security gateway product) where you 
have a need to get files in and out that your mail system will not 
allow. If you restrict filename extension, everyone (including the bad 
guys) just changes the extension or adds a "safe" one with a simple note 
to the user to rename the file once they've got it. It provides no 
security whatsoever, it is a "tick box" and nothing more.
>
> #2: ZendTo's error reporting allows attackers to enumerate your 
> organization's userlist. By brute-forcing the "To:" field in a 
> drop-off, the attacker can get the full list of valid users in LDAP.
>
Can you explain in more detail please? ZendTo does not verify the 
contents of the "To:" field (other than the domain name in external 
dropoffs). It's far easier and faster to enumerate all valid users by 
brute-forcing SMTP "RCPT" commands. They usually give you an instant 
valid/invalid response for each attempt, and don't require you to 
attempt to send any message to anyone. Again, no added security 
whatsoever, it's another tick box.

Cheers,
Jules.

> I can give further details as needed.
>
> Best regards,
>
> Ryan Stepalavich, CSSA
>
> Sr. Network Administrator
>
> Savings Institute Bank & Trust, Co.
>
> Office: (860) 465-8602
>
> Fax: (860) 456-5218
>
> This document and any files transmitted with it are
> confidential and intended solely for the use of the individual
> or entity to whom they are addressed. If you have received this
> document in error please notify the originator of the message.
> Any views expressed in this message are those of the individual
> sender, except where the sender specifies and with authority,
> states them to be the views of Savings Institute Bank & Trust.
> This footer confirms that this e-mail message has been scanned
> for the presence of computer viruses by the Savings Institute
> email gateway.
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>
> -- 
> Julian Field MEng MBCS CITP CEng
>
> 'It's very unlikely indeed he will ever recover consciousness, and
>   if he does it won't be the Julian you knew.'
>    - A hospital consultant I proved very wrong in 2007 :-)
>
> www.Zend.To
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20140626/72812972/attachment.html 


More information about the ZendTo mailing list