Phuong, I have found all the vulnerabilities you found plus, the ones in my e-mail and I still know of 6 other buffer overflows in the product which have yet to be fixed. These issues ARE NOT new, and Software602 is lying if they do not acknowledge it. Those e-mails were sent to an American representative of the company, because the devlopers do not speak english or can't read it at least or something along those lines. These problems and several other far more serious problems were reported to them more than a year ago, and to be honest I just lost interest. They are a in the Chech Republic, and I am wondering exactly how you reported these problems to them. Of 21 security flaws I found in there product only 3 I am sure are fixed, the rest I am not sure as I have not tested Lansuite 2003, but I did try out the initial release and it is the same codebase as 2002 and the same vulnerabilities in the very same code remain. I could tell because the implementation especially for webmail is horribly flawed. My recommendation was to completely rewrite it, as it was an ugly hole ridden mess that could not in my opinion be easily fixed. I just want you to know that Software602 was made aware of these bugs and only seemed to have selectively fixed the ones I made public. And even those they denied existed. -sb Phuong Nguyen wrote:
Stan, Thanks for pointing that out, but the problems i reported to Software602 LanSuite 2003 were acknowledged as new, and i had to wait for approximately a month for the patch. Beside, the problems you reported applied in LanSuite 2002, and some of them do exist in version 2003 too but to be honest, this is the first time i've seen this vulnerability report regarding LanSuite software. Most of the previous problems report about Software602Lansuite were DoS attacks (Lansuite Proxy, and 'aux') I did a search on securiteam, securityfocus, andgoogle for any known issues that are similar like mine regarding LanSuite, but haven't got any luck or i just missed it? Best regards, Phuong Nguyen __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com