Re: LanSuite 2003 - Multiple Vulnerabilities

To: Phuong Nguyen <dphuong@xxxxxxxxx>
Subject: Re: LanSuite 2003 - Multiple Vulnerabilities
From: Stan Bubrouski <stan@xxxxxxxxxxx>
Date: Fri, 26 Sep 2003 01:25:07 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20030926030732.76764.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20030926030732.76764.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030917

Phuong,

I have found all the vulnerabilities you found plus,
the ones in my e-mail and I still know of 6 other
buffer overflows in the product which have yet to
be fixed.  These issues ARE NOT new, and Software602
is lying if they do not acknowledge it.  Those e-mails
were sent to an American representative of the company,
because the devlopers do not speak english or can't
read it at least or something along those lines.

These problems and several other far more serious
problems were reported to them more than a year
ago, and to be honest I just lost interest.  They
are a in the Chech Republic, and I am wondering
exactly how you reported these problems to them.

Of 21 security flaws I found in there product only
3 I am sure are fixed, the rest I am not sure as
I have not tested Lansuite 2003, but I did try out
the initial release and it is the same codebase as
2002 and the same vulnerabilities in the very same
code remain.  I could tell because the implementation
especially for webmail is horribly flawed.  My
recommendation was to completely rewrite it, as it
was an ugly hole ridden mess that could not in
my opinion be easily fixed.  I just want you
to know that Software602 was made aware of these
bugs and only seemed to have selectively fixed
the ones I made public.  And even those they
denied existed.

-sb


Phuong Nguyen wrote:

Stan,

Thanks for pointing that out, but the problems i
reported to Software602 LanSuite 2003 were
acknowledged as new, and i had to wait for
approximately a month for the patch.

Beside, the problems you reported applied in LanSuite
2002, and some of them do exist in version 2003 too
but to be honest, this is the first time i've seen
this vulnerability report regarding LanSuite software.
Most of the previous problems report about Software602

Lansuite were DoS attacks (Lansuite Proxy, and 'aux')I did a search on securiteam, securityfocus, and

google for any known issues that are similar like mine
regarding LanSuite, but haven't got any luck or i just
missed it?

Best regards,
Phuong Nguyen


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

References:
- Re: LanSuite 2003 - Multiple Vulnerabilities
  - From: Phuong Nguyen

Prev by Date: Re: base64
Next by Date: Re: LanSuite 2003 - Multiple Vulnerabilities
Previous by thread: Re: LanSuite 2003 - Multiple Vulnerabilities
Next by thread: My response to both the analysis of CIPE by Gutmann, Slashdot and the response by the CIPE list
Index(es):
- Date
- Thread