<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222;background:white">Hi folks,</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222">We just got hit with two audit findings for ZendTo, and I was wondering if there was any fix/workaround for these.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222">#1: ZendTo allows any file of any extension to be dropped off. Is there a way to whitelist a few extensions and reject all others?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222">#2: ZendTo's error reporting allows attackers to enumerate your organization's userlist. By brute-forcing the "To:" field in a drop-off, the attacker can get the full list of valid users in LDAP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#222222">I can give further details as needed.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ryan Stepalavich, CSSA<o:p></o:p></p>
<p class="MsoNormal">Sr. Network Administrator<o:p></o:p></p>
<p class="MsoNormal">Savings Institute Bank & Trust, Co.<o:p></o:p></p>
<p class="MsoNormal">Office: (860) 465-8602<o:p></o:p></p>
<p class="MsoNormal">Fax: (860) 456-5218<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p><pre>
This document and any files transmitted with it are
confidential and intended solely for the use of the individual
or entity to whom they are addressed. If you have received this
document in error please notify the originator of the message.
Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Savings Institute Bank & Trust.
This footer confirms that this e-mail message has been scanned
for the presence of computer viruses by the Savings Institute
email gateway.
</pre></p>
</body>
</html>