Brightmail leaks other user's spam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Brightmail Spamfilter 6.0 offer a possibility to manage mails identified as spam in a http-driven "control-center" on the Brightmail-Server via links like
http://SERVER:41080/brightmail/quarantine/viewMsgDetails.do?id=QMsgView-3;3-0

Simply altering the last numbers in the URL (3;3 to 4;4, eg.) shows other domain-users Spam-Mail without any authentication.

Confirmed with Version 6.0.0.100 and previous beta-versions.

Brightmails support is aware of the problem, but didn't bother to confirm the problem in the 6.0 final.

Thomas Springer
--
Nach mir der Synflood.
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux