[ZendTo] Re: Security Audit Findings

John Thurston john.thurston at alaska.gov
Thu Jun 26 17:30:27 BST 2014

Thank you for your sane and reasoned response, Jules.

I have been on the receiving end of such 'tick box' reports and have 
invested a fair amount of time providing similar explanations. I 
appreciate your continued support of this useful application.
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska

On 6/26/2014 2:09 AM, Jules wrote:
> On 24/06/2014 19:43, Ryan Stepalavich wrote:
>> Hi folks,
>> We just got hit with two audit findings for ZendTo, and I was
>> wondering if there was any fix/workaround for these.
> Interesting.
>> #1: ZendTo allows any file of any extension to be dropped off. Is
>> there a way to whitelist a few extensions and reject all others?
> I learnt right back near the start of developing MailScanner that basing
> security on filename extensions is a complete red herring and a total
> waste of time. If you do any check at all, it *has* to be based on file
> *content*, not file *name*. I intentionally did not build this sort of a
> system into ZendTo as I wanted it to be a solution for all those sites
> using MailScanner (or any other mail security gateway product) where you
> have a need to get files in and out that your mail system will not
> allow. If you restrict filename extension, everyone (including the bad
> guys) just changes the extension or adds a "safe" one with a simple note
> to the user to rename the file once they've got it. It provides no
> security whatsoever, it is a "tick box" and nothing more.
>> #2: ZendTo's error reporting allows attackers to enumerate your
>> organization's userlist. By brute-forcing the "To:" field in a
>> drop-off, the attacker can get the full list of valid users in LDAP.
> Can you explain in more detail please? ZendTo does not verify the
> contents of the "To:" field (other than the domain name in external
> dropoffs). It's far easier and faster to enumerate all valid users by
> brute-forcing SMTP "RCPT" commands. They usually give you an instant
> valid/invalid response for each attempt, and don't require you to
> attempt to send any message to anyone. Again, no added security
> whatsoever, it's another tick box.
> Cheers,
> Jules.

More information about the ZendTo mailing list