|
602Pro LANSuite 2002 Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA9884
|
|
|
Release Date:
|
2003-09-30
|
|
Popularity:
|
5,247 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Manipulation of data
Exposure of sensitive information
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | 602Pro LANSuite 2002
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Multiple vulnerabilities have been reported to affect LANSuite 2002 possibly allowing malicious people to gain system access and users to read and delete other users' mail.
1) Malicious users may read, delete, create, or rename other users' mail and arbitrary system files. The problem is that the "FolderDir" parameter isn't properly verified allowing malicious users to supply arbitrary paths. This may be exploited when using the "ChkMsgsAction" and "DELETEFOLDER" functions and when renaming or creating folders.
2) A buffer overflow may be caused by requesting a HTTP resource with a name longer than 5000 characters.
Example:
/mail/<5000 characters>
3) Another buffer overflow may be caused by supplying a username, which is longer than 2000 characters during HTTP authentication.
4) The FTP service may be crashed by supplying a 8000 character long username.
5) The FTP service consumes 100% CPU resources if a user supplies an argument longer than 2500 characters to commands like "cwd".
6) The "dele" command may reveal previously issued commands in the error message when "NULL" input is given.
7) LANSuite may consume large amounts of CPU resources or hang if HTTP requests contain multiple "/" or if filenames matching DOS device names like "aux.html" are requested.
The vulnerabilities have been reported in LANSuite 2002.
Some of these issues still exist in LANSuite 2003:
SA9882
Solution:
Use a firewall or proxy with URL filtering capabilities to filter malicious requests or upgrade to latest version of LANSuite 2003.
http://download3.software602.com/ls2003.exe
Provided and/or discovered by:
Stan Bubrouski
Other References:
SA9882:
http://secunia.com/advisories/9882/
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
