Thomas Springer posted: Brightmail Spamfilter 6.0 offer a possibility to manage mails identified as spam in a http-driven "control-center" on the Brightmail-Server via links like http://SERVER:41080/brightmail/quarantine/viewMsgDetails.do?id=QMsgView-3;3-0 Simply altering the last numbers in the URL (3;3 to 4;4, eg.) shows other domain-users Spam-Mail without any authentication. Confirmed with Version 6.0.0.100 and previous beta-versions. ----------------------------------------------------------------------------snip------------------ Symantec Response: Symantec Brightmail Anti-Spam Unauthorized Filtered Mail Access - BID 10657 Risk Low Overview An issue with Symantec's Brightmail Anti-Spam 6.0 was posted to the SecurityFocus Bugtraq mailing list concerning unauthorized access to filtered emails through manipulation of queries to the web-based Contol Center. Components Affected Symantec Brightmail Anti-Spam 6.0 Description Symantec is aware of a recent posting, http://www.securityfocus.com/archive/1/367866 , concerning unauthorized access to filtered spam emails in Symantec Brightmail Anti-Spam 6.0. Symantec Brightmail Anti-Spam 6.0 is a high performance software solution that blocks spam at the Internet gateway. Brightmail Anti-Spam 6.0 provides an access-restricted web-based Control Center for administration and management of Symantec Brightmail Anti-Spam servers. Users with authorized access to the Control Center can review the spam emails that are being filtered and quarantined. However, according to the poster, by modifying the query to the Control Center, the user could potentially gain access to filtered spam emails of other domains or users that they may not be authorized to access. Symantec Response Symantec engineers confirmed that by properly manipulating the Quarantine URL within Control Center, a user, although authorized access to the Control Center, could gain access to filtered spam emails on the Control Center server that they were possibly not authorized to view. Symantec takes the proper functionality of our products seriously. Although it presents a low-level security concern, anyone who has access to the Control Center should be an authorized administrator, Symantec Brightmail has addressed this issue in a fix available to authorized customers through the support download site, http://support.brightmail.com. Symantec recommends customers who have not already applied this update, do so to alleviate any concerns from this issue. Symantec Product Security Contact Information: Symantec takes the security and proper functionality of its products very seriously. As founding members in the Organization for Internet Safety, http://www.oisafety.org/, Symantec follows the process of responsible disclosure. You can view our policy on vulnerability handling here, http://www.symantec.com/security. Symantec also subscribes to the vulnerability guidelines, http://www.dhs.gov/interweb/assetlibrary/vdwgreport.pdf, outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@xxxxxxxxxxxx if you feel you have discovered a potential or actual security issue with a Symantec product. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@xxxxxxxxxxxxx The Symantec Product Security PGP key can be obtained here, http://www.symantec.com/security. Copyright (c) 2004 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or parts of this alert in any medium other than electronically requires permission from secure@xxxxxxxxxxxxx Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Product Security are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.