RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses

From: Florent Trupheme (ftruphemeat_private)
Date: Thu Apr 25 2002 - 01:25:55 PDT

Next message: Mandrake Linux Security Team: "MDKSA-2002:028 - sudo update"

Previous message: bugzillaat_private: "[RHSA-2002:063-05] Updated icecast packages are available"
In reply to: Ishay Sommer: "Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses"
Next in thread: Rich Lafferty: "Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The current version for interscan solaris is 1207 and correct your
issue.

regards



>> -----Message d'origine-----
>> De : Ishay Sommer [mailto:ishaybasat_private]
>> Envoye : mercredi, 24. avril 2002 10:49
>> A : bugtraqat_private
>> Objet : Trendmicro - Interscan - List of BCC: is revealed when
>> stripping attachments and notifying destination addresses
>> 
>> 
>> Hello.
>> 
>> This email was sent to supportat_private over a week ago,
>> so far, no response.
>> 
>> In the company that I work for, we use -InterScan Version
>> 3.6-Build_1142, for
>> stripping of unwated attachments, "Spam".
>> No other versions have been tested.
>> 
>> Our sys admin has configured the mail scanner, to notify all
>> destination addresses of a message containing such attachments, of
>> the "Spam" alert. Meaning, that if I send a bad content message to
>> 10 recipients, all of them receive
>> a "Spam" alert.
>> 
>> The problem is that, each one of the recipients receives to his
>> mailbox the spam warning message,
>> including all addresses of which the original message was sent to,
>> even if they were sent as Bcc:
>> 
>> For example:
>> 
>> **************** eManager Notification *****************
>> 
>> The following mail was blocked since it contains sensitive
>> content.  
>> 
>> Source mailbox: <ME>
>> Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3>
>> Policy: Attachment Removal
>> Attachment file name: accident.mpg - video/mpg
>> Action: Replaced with text
>> 
>> The email was stripped from its attachment, since it doesn't
>> comply with <ISP>'s Email Policy as can be viewed by <ISP>'s
>> employees....
>> 
>> ******************* End of message *********************
>> 
>> This is a serious security disclosure vulnerability, as all of the
>> message's recipients, now have all
>> the email addresses who were suppose to be kept secret.
>> 
>> I wish to publish this vulnerability on Bugtraq, after providing
>> you with sufficient time to correct the problem, based on your
>> response, and our communication.
>> 
>> Thank you
>> 
>> Ishay Sommer
>> 
>> 
>> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPMe9j5C2KxGEE+dSEQIXfQCgtHMtxSf3qR0Ms8HiTrr79rQWHIIAoNr3
VC6BwNU5xhKRpJNJxYVapZJ0
=Yjzr
-----END PGP SIGNATURE-----

Next message: Mandrake Linux Security Team: "MDKSA-2002:028 - sudo update"
Previous message: bugzillaat_private: "[RHSA-2002:063-05] Updated icecast packages are available"
In reply to: Ishay Sommer: "Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses"
Next in thread: Rich Lafferty: "Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 19:38:04 PDT