Ref: http://www.securityfocus.com/archive/1/367866, Jul 1 2004 1:19PM, Subj: Brightmail leaks other user's spam
Thomas Springer posted:
Brightmail Spamfilter 6.0 offer a possibility to manage mails identified
as spam in a http-driven "control-center" on the
Brightmail-Server via links like
http://SERVER:41080/brightmail/quarantine/viewMsgDetails.do?id=QMsgView-3;3-0
Simply altering the last numbers in the URL (3;3 to 4;4, eg.) shows other
domain-users Spam-Mail without any authentication.
Confirmed with Version 6.0.0.100 and previous beta-versions.
----------------------------------------------------------------------------snip------------------
Symantec Response:
Symantec Brightmail Anti-Spam Unauthorized Filtered Mail Access - BID
10657
Risk
Low
Overview
An issue with Symantec's Brightmail Anti-Spam 6.0 was posted to the
SecurityFocus Bugtraq mailing list concerning unauthorized access to
filtered emails through manipulation of
queries to the web-based Contol Center.
Components Affected
Symantec Brightmail Anti-Spam 6.0
Description
Symantec is aware of a recent posting,
http://www.securityfocus.com/archive/1/367866 , concerning unauthorized
access to filtered spam emails in Symantec Brightmail Anti-Spam 6.0.
Symantec Brightmail Anti-Spam 6.0 is a high performance software solution
that blocks spam at the Internet gateway. Brightmail Anti-Spam 6.0
provides an access-restricted
web-based Control Center for administration and management of Symantec
Brightmail Anti-Spam servers.
Users with authorized access to the Control Center can review the spam
emails that are being filtered and quarantined. However, according to the
poster, by modifying the query to the
Control Center, the user could potentially gain access to filtered spam
emails of other domains or users that they may not be authorized to
access.
Symantec Response
Symantec engineers confirmed that by properly manipulating the Quarantine
URL within Control Center, a user, although authorized access to the
Control Center, could gain access to
filtered spam emails on the Control Center server that they were possibly
not authorized to view.
Symantec takes the proper functionality of our products seriously.
Although it presents a low-level security concern, anyone who has access
to the Control Center should be an
authorized administrator, Symantec Brightmail has addressed this issue in
a fix available to authorized customers through the support download site,
http://support.brightmail.com.
Symantec recommends customers who have not already applied this update, do
so to alleviate any concerns from this issue.
Symantec Product Security Contact Information:
Symantec takes the security and proper functionality of its products very
seriously. As founding members in the Organization for Internet Safety,
http://www.oisafety.org/, Symantec
follows the process of responsible disclosure. You can view our policy on
vulnerability handling here, http://www.symantec.com/security. Symantec
also subscribes to the vulnerability
guidelines, http://www.dhs.gov/interweb/assetlibrary/vdwgreport.pdf,
outlined by the National Infrastructure Advisory Council (NIAC). Please
contact secure@xxxxxxxxxxxx if you feel you
have discovered a potential or actual security issue with a Symantec
product.
Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@xxxxxxxxxxxxx The Symantec Product
Security PGP key can be obtained here,
http://www.symantec.com/security.
Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Product
Security. Reprinting the whole or parts of this
alert in any medium other than electronically requires permission from
secure@xxxxxxxxxxxxx
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS
IS condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
Symantec, Symantec products, and Symantec Product Security are registered
trademarks of Symantec Corp. and/or affiliated companies in the United
States and other countries. All
other registered and unregistered trademarks represented in this document
are the sole property of their respective companies/owners.