Bugtraq mailing list archives
RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses
From: Florent Trupheme <ftrupheme () telsys ch>
Date: Thu, 25 Apr 2002 10:25:55 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, The current version for interscan solaris is 1207 and correct your issue. regards
-----Message d'origine----- De : Ishay Sommer [mailto:ishaybas () netvision net il] Envoye : mercredi, 24. avril 2002 10:49 A : bugtraq () securityfocus com Objet : Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Hello. This email was sent to support () trendmicro com over a week ago, so far, no response. In the company that I work for, we use -InterScan Version 3.6-Build_1142, for stripping of unwated attachments, "Spam". No other versions have been tested. Our sys admin has configured the mail scanner, to notify all destination addresses of a message containing such attachments, of the "Spam" alert. Meaning, that if I send a bad content message to 10 recipients, all of them receive a "Spam" alert. The problem is that, each one of the recipients receives to his mailbox the spam warning message, including all addresses of which the original message was sent to, even if they were sent as Bcc: For example: **************** eManager Notification ***************** The following mail was blocked since it contains sensitive content. Source mailbox: <ME> Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3> Policy: Attachment Removal Attachment file name: accident.mpg - video/mpg Action: Replaced with text The email was stripped from its attachment, since it doesn't comply with <ISP>'s Email Policy as can be viewed by <ISP>'s employees.... ******************* End of message ********************* This is a serious security disclosure vulnerability, as all of the message's recipients, now have all the email addresses who were suppose to be kept secret. I wish to publish this vulnerability on Bugtraq, after providing you with sufficient time to correct the problem, based on your response, and our communication. Thank you Ishay Sommer
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPMe9j5C2KxGEE+dSEQIXfQCgtHMtxSf3qR0Ms8HiTrr79rQWHIIAoNr3 VC6BwNU5xhKRpJNJxYVapZJ0 =Yjzr -----END PGP SIGNATURE-----
Current thread:
- Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Ishay Sommer (Apr 24)
- RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Florent Trupheme (Apr 25)
- Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Rich Lafferty (Apr 25)