lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F73CDB3.708@ccs.neu.edu>
Date: Fri, 26 Sep 2003 01:25:07 -0400
From: Stan Bubrouski <stan@....neu.edu>
To: Phuong Nguyen <dphuong@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: LanSuite 2003 - Multiple Vulnerabilities


Phuong,

I have found all the vulnerabilities you found plus,
the ones in my e-mail and I still know of 6 other
buffer overflows in the product which have yet to
be fixed.  These issues ARE NOT new, and Software602
is lying if they do not acknowledge it.  Those e-mails
were sent to an American representative of the company,
because the devlopers do not speak english or can't
read it at least or something along those lines.

These problems and several other far more serious
problems were reported to them more than a year
ago, and to be honest I just lost interest.  They
are a in the Chech Republic, and I am wondering
exactly how you reported these problems to them.

Of 21 security flaws I found in there product only
3 I am sure are fixed, the rest I am not sure as
I have not tested Lansuite 2003, but I did try out
the initial release and it is the same codebase as
2002 and the same vulnerabilities in the very same
code remain.  I could tell because the implementation
especially for webmail is horribly flawed.  My
recommendation was to completely rewrite it, as it
was an ugly hole ridden mess that could not in
my opinion be easily fixed.  I just want you
to know that Software602 was made aware of these
bugs and only seemed to have selectively fixed
the ones I made public.  And even those they
denied existed.

-sb


Phuong Nguyen wrote:

> Stan,
> 
> Thanks for pointing that out, but the problems i
> reported to Software602 LanSuite 2003 were
> acknowledged as new, and i had to wait for
> approximately a month for the patch.
> 
> Beside, the problems you reported applied in LanSuite
> 2002, and some of them do exist in version 2003 too
> but to be honest, this is the first time i've seen
> this vulnerability report regarding LanSuite software.
> Most of the previous problems report about Software602
> Lansuite were DoS attacks (Lansuite Proxy, and 'aux') 
> I did a search on securiteam, securityfocus, and
> google for any known issues that are similar like mine
> regarding LanSuite, but haven't got any luck or i just
> missed it?
> 
> Best regards,
> Phuong Nguyen
> 
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
> 
> 





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ