<<< Date Index >>>     <<< Thread Index >>>

Ref: http://www.securityfocus.com/archive/1/367866, Jul 1 2004 1:19PM, Subj: Brightmail leaks other user's spam



Thomas Springer posted:

Brightmail Spamfilter 6.0 offer a possibility to manage mails identified 
as spam in a http-driven "control-center" on the 
Brightmail-Server via links like 
http://SERVER:41080/brightmail/quarantine/viewMsgDetails.do?id=QMsgView-3;3-0

Simply altering the last numbers in the URL (3;3 to 4;4, eg.) shows other 
domain-users Spam-Mail without any authentication.

Confirmed with Version 6.0.0.100 and previous beta-versions.

----------------------------------------------------------------------------snip------------------
Symantec Response:

Symantec Brightmail Anti-Spam Unauthorized Filtered Mail Access - BID 
10657

Risk

Low

Overview

An issue with Symantec's Brightmail Anti-Spam 6.0 was posted to the 
SecurityFocus Bugtraq mailing list concerning unauthorized access to 
filtered emails through manipulation of 
queries to the web-based Contol Center.

Components Affected

Symantec Brightmail Anti-Spam 6.0 

Description

Symantec is aware of a recent posting, 
http://www.securityfocus.com/archive/1/367866 , concerning unauthorized 
access to filtered spam emails in Symantec Brightmail Anti-Spam 6.0.
Symantec Brightmail Anti-Spam 6.0 is a high performance software solution 
that blocks spam at the Internet gateway.  Brightmail Anti-Spam 6.0 
provides an access-restricted 
web-based Control Center for administration and management of Symantec 
Brightmail Anti-Spam servers.

Users with authorized access to the Control Center can review the spam 
emails that are being filtered and quarantined.  However, according to the 
poster, by modifying the query to the
Control Center, the user could potentially gain access to filtered spam 
emails of other domains or users that they may not be authorized to 
access.

Symantec Response

Symantec engineers confirmed that by properly manipulating the Quarantine 
URL within Control Center, a user, although authorized access to the 
Control Center, could gain access to 
filtered spam emails on the Control Center server that they were possibly 
not authorized to view. 

Symantec takes the proper functionality of our products seriously. 
Although it presents a low-level security concern, anyone who has access 
to the Control Center should be an
authorized administrator, Symantec Brightmail has addressed this  issue in 
a fix available to authorized customers through the support download site, 
http://support.brightmail.com. 
Symantec recommends customers who have not already applied this update, do 
so to alleviate any concerns from this issue.

 Symantec Product Security Contact Information:

Symantec takes the security and proper functionality of its products very 
seriously. As founding members in the Organization for Internet Safety, 
http://www.oisafety.org/, Symantec 
follows the process of responsible disclosure.  You can view our policy on 
vulnerability handling here, http://www.symantec.com/security.  Symantec 
also subscribes to the vulnerability
guidelines, http://www.dhs.gov/interweb/assetlibrary/vdwgreport.pdf, 
outlined by the National Infrastructure Advisory Council (NIAC). Please 
contact secure@xxxxxxxxxxxx if you feel you
have discovered a potential or actual security issue with a Symantec 
product.

Symantec strongly recommends using encrypted email for reporting 
vulnerability information to secure@xxxxxxxxxxxxx The Symantec Product 
Security PGP key can be obtained here, 
http://www.symantec.com/security.


Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as 
it is not edited in any way unless authorized by Symantec Product 
Security. Reprinting the whole or parts of this 
alert in any medium other than electronically requires permission from 
secure@xxxxxxxxxxxxx

Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the 
information constitutes acceptance for use in an AS
IS condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any direct, 
indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

Symantec, Symantec products, and Symantec Product Security are registered 
trademarks of Symantec Corp. and/or affiliated companies in the United 
States and other countries. All
other registered and unregistered trademarks represented in this document 
are the sole property of their respective companies/owners.