[ZendTo] Re: Security Audit Findings
Ryan Stepalavich
Ryan_Stepalavich at banksi.com
Thu Jun 26 20:17:01 BST 2014
Jules,
Thanks so much for getting back to me on this. We have all the info we need now.
Thanks again!
On 24/06/2014 19:43, Ryan Stepalavich wrote:
>
> Hi folks,
>
> We just got hit with two audit findings for ZendTo, and I was
> wondering if there was any fix/workaround for these.
>
Interesting.
>
> #1: ZendTo allows any file of any extension to be dropped off. Is
> there a way to whitelist a few extensions and reject all others?
>
I learnt right back near the start of developing MailScanner that basing security on filename extensions is a complete red herring and a total waste of time. If you do any check at all, it *has* to be based on file *content*, not file *name*. I intentionally did not build this sort of a system into ZendTo as I wanted it to be a solution for all those sites using MailScanner (or any other mail security gateway product) where you have a need to get files in and out that your mail system will not allow. If you restrict filename extension, everyone (including the bad
guys) just changes the extension or adds a "safe" one with a simple note to the user to rename the file once they've got it. It provides no security whatsoever, it is a "tick box" and nothing more.
>
> #2: ZendTo's error reporting allows attackers to enumerate your
> organization's userlist. By brute-forcing the "To:" field in a
> drop-off, the attacker can get the full list of valid users in LDAP.
>
Can you explain in more detail please? ZendTo does not verify the contents of the "To:" field (other than the domain name in external dropoffs). It's far easier and faster to enumerate all valid users by brute-forcing SMTP "RCPT" commands. They usually give you an instant valid/invalid response for each attempt, and don't require you to attempt to send any message to anyone. Again, no added security whatsoever, it's another tick box.
Cheers,
Jules.
> I can give further details as needed.
>
> Best regards,
>
> Ryan Stepalavich, CSSA
>
> Sr. Network Administrator
>
> Savings Institute Bank & Trust, Co.
>
> Office: (860) 465-8602
>
> Fax: (860) 456-5218
>
> This document and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this document in error please
> notify the originator of the message.
> Any views expressed in this message are those of the individual
> sender, except where the sender specifies and with authority, states
> them to be the views of Savings Institute Bank & Trust.
> This footer confirms that this e-mail message has been scanned for the
> presence of computer viruses by the Savings Institute email gateway.
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>
> --
> Julian Field MEng MBCS CITP CEng
>
> 'It's very unlikely indeed he will ever recover consciousness, and
> if he does it won't be the Julian you knew.'
> - A hospital consultant I proved very wrong in 2007 :-)
>
> www.Zend.To
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20140626/72812972/attachment-0001.html
This document and any files transmitted with it are
confidential and intended solely for the use of the individual
or entity to whom they are addressed. If you have received this
document in error please notify the originator of the message.
Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Savings Institute Bank & Trust.
This footer confirms that this e-mail message has been scanned
for the presence of computer viruses by the Savings Institute
email gateway.
More information about the ZendTo
mailing list