Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-03-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Vulnerabilities in L-Soft's LISTSERV and Microsoft's Visual Studio

Published: 2006-03-06
Last Updated: 2006-03-06 04:16:38 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
NGSSoftware announced a number of vulnerabilities in L-Soft's LISTSERV list management system. The vulnerabilities have not been published, but as NGSSoftware worked with L-Soft, they are already fixed in the latest release of LISTSERV, 14.5.

It is strongly recommended that you upgrade to the latest version if you use LISTSERV, as the most critical vulnerability announced allows a remote unauthenticated attacker execution of arbitrary code on the system running LISTSERV.

The latest version of LISTSERV can be downloaded from http://www.lsoft.com/download/listserv.asp and http://www.lsoft.com/download/listservlite.asp (for LISTSERV Lite).

NGSSoftware said that they will publish full details about the flaw in June 2006.



Source code for the buffer overflow vulnerability recently reported in Microsoft's Visual Studio has been released. Visual Studio does not properly validate contents of database project (.dbp) and solution (.sln) files. The result of improper handling is a buffer overflow which can be exploited through the "DataProject" field in a .dbp file.
As the .dbp files are actually text files, it is very simple to craft an exploit.

There is no patch at the moment but, as always, standard rules apply, be very careful what you open.
Keywords:
0 comment(s)
Diary Archives