<<< Date Index >>>     <<< Thread Index >>>

Re: LanSuite 2003 - Multiple Vulnerabilities



Phuong,

I have found all the vulnerabilities you found plus,
the ones in my e-mail and I still know of 6 other
buffer overflows in the product which have yet to
be fixed.  These issues ARE NOT new, and Software602
is lying if they do not acknowledge it.  Those e-mails
were sent to an American representative of the company,
because the devlopers do not speak english or can't
read it at least or something along those lines.

These problems and several other far more serious
problems were reported to them more than a year
ago, and to be honest I just lost interest.  They
are a in the Chech Republic, and I am wondering
exactly how you reported these problems to them.

Of 21 security flaws I found in there product only
3 I am sure are fixed, the rest I am not sure as
I have not tested Lansuite 2003, but I did try out
the initial release and it is the same codebase as
2002 and the same vulnerabilities in the very same
code remain.  I could tell because the implementation
especially for webmail is horribly flawed.  My
recommendation was to completely rewrite it, as it
was an ugly hole ridden mess that could not in
my opinion be easily fixed.  I just want you
to know that Software602 was made aware of these
bugs and only seemed to have selectively fixed
the ones I made public.  And even those they
denied existed.

-sb


Phuong Nguyen wrote:

Stan,

Thanks for pointing that out, but the problems i
reported to Software602 LanSuite 2003 were
acknowledged as new, and i had to wait for
approximately a month for the patch.

Beside, the problems you reported applied in LanSuite
2002, and some of them do exist in version 2003 too
but to be honest, this is the first time i've seen
this vulnerability report regarding LanSuite software.
Most of the previous problems report about Software602
Lansuite were DoS attacks (Lansuite Proxy, and 'aux') I did a search on securiteam, securityfocus, and
google for any known issues that are similar like mine
regarding LanSuite, but haven't got any luck or i just
missed it?

Best regards,
Phuong Nguyen


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com