[25259] in bugtraq
RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses
daemon@ATHENA.MIT.EDU (=?US-ASCII?Q?Florent_Trupheme?=)
Thu Apr 25 23:06:21 2002
From: =?US-ASCII?Q?Florent_Trupheme?= <ftrupheme@telsys.ch>
To: "Ishay Sommer" <ishaybas@netvision.net.il>, <bugtraq@securityfocus.com>
Date: Thu, 25 Apr 2002 10:25:55 +0200
Message-ID: <OIEKKEANDIICFJCFNBMAIEGFCDAA.ftrupheme@telsys.ch>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-reply-to: <3CC67184.3030902@netvision.net.il>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
The current version for interscan solaris is 1207 and correct your
issue.
regards
>> -----Message d'origine-----
>> De : Ishay Sommer [mailto:ishaybas@netvision.net.il]
>> Envoye : mercredi, 24. avril 2002 10:49
>> A : bugtraq@securityfocus.com
>> Objet : Trendmicro - Interscan - List of BCC: is revealed when
>> stripping attachments and notifying destination addresses
>>
>>
>> Hello.
>>
>> This email was sent to support@trendmicro.com over a week ago,
>> so far, no response.
>>
>> In the company that I work for, we use -InterScan Version
>> 3.6-Build_1142, for
>> stripping of unwated attachments, "Spam".
>> No other versions have been tested.
>>
>> Our sys admin has configured the mail scanner, to notify all
>> destination addresses of a message containing such attachments, of
>> the "Spam" alert. Meaning, that if I send a bad content message to
>> 10 recipients, all of them receive
>> a "Spam" alert.
>>
>> The problem is that, each one of the recipients receives to his
>> mailbox the spam warning message,
>> including all addresses of which the original message was sent to,
>> even if they were sent as Bcc:
>>
>> For example:
>>
>> **************** eManager Notification *****************
>>
>> The following mail was blocked since it contains sensitive
>> content.
>>
>> Source mailbox: <ME>
>> Destination mailbox(es): <RCPT1>,<RCPT2>,<RCPT3>
>> Policy: Attachment Removal
>> Attachment file name: accident.mpg - video/mpg
>> Action: Replaced with text
>>
>> The email was stripped from its attachment, since it doesn't
>> comply with <ISP>'s Email Policy as can be viewed by <ISP>'s
>> employees....
>>
>> ******************* End of message *********************
>>
>> This is a serious security disclosure vulnerability, as all of the
>> message's recipients, now have all
>> the email addresses who were suppose to be kept secret.
>>
>> I wish to publish this vulnerability on Bugtraq, after providing
>> you with sufficient time to correct the problem, based on your
>> response, and our communication.
>>
>> Thank you
>>
>> Ishay Sommer
>>
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPMe9j5C2KxGEE+dSEQIXfQCgtHMtxSf3qR0Ms8HiTrr79rQWHIIAoNr3
VC6BwNU5xhKRpJNJxYVapZJ0
=Yjzr
-----END PGP SIGNATURE-----
