[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F73CDB3.708@ccs.neu.edu>
Date: Fri, 26 Sep 2003 01:25:07 -0400
From: Stan Bubrouski <stan@....neu.edu>
To: Phuong Nguyen <dphuong@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: LanSuite 2003 - Multiple Vulnerabilities
Phuong,
I have found all the vulnerabilities you found plus,
the ones in my e-mail and I still know of 6 other
buffer overflows in the product which have yet to
be fixed. These issues ARE NOT new, and Software602
is lying if they do not acknowledge it. Those e-mails
were sent to an American representative of the company,
because the devlopers do not speak english or can't
read it at least or something along those lines.
These problems and several other far more serious
problems were reported to them more than a year
ago, and to be honest I just lost interest. They
are a in the Chech Republic, and I am wondering
exactly how you reported these problems to them.
Of 21 security flaws I found in there product only
3 I am sure are fixed, the rest I am not sure as
I have not tested Lansuite 2003, but I did try out
the initial release and it is the same codebase as
2002 and the same vulnerabilities in the very same
code remain. I could tell because the implementation
especially for webmail is horribly flawed. My
recommendation was to completely rewrite it, as it
was an ugly hole ridden mess that could not in
my opinion be easily fixed. I just want you
to know that Software602 was made aware of these
bugs and only seemed to have selectively fixed
the ones I made public. And even those they
denied existed.
-sb
Phuong Nguyen wrote:
> Stan,
>
> Thanks for pointing that out, but the problems i
> reported to Software602 LanSuite 2003 were
> acknowledged as new, and i had to wait for
> approximately a month for the patch.
>
> Beside, the problems you reported applied in LanSuite
> 2002, and some of them do exist in version 2003 too
> but to be honest, this is the first time i've seen
> this vulnerability report regarding LanSuite software.
> Most of the previous problems report about Software602
> Lansuite were DoS attacks (Lansuite Proxy, and 'aux')
> I did a search on securiteam, securityfocus, and
> google for any known issues that are similar like mine
> regarding LanSuite, but haven't got any luck or i just
> missed it?
>
> Best regards,
> Phuong Nguyen
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
>
Powered by blists - more mailing lists