Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26367
HistoryMay 16, 2011 - 12:00 a.m.

Vulnerable and completely outdated 3rd party ZIP code in FastStone image viewer

2011-05-1600:00:00
vulners.com
15
JSON

The FastStone image viewer <http://www.faststone.org/&gt; (and most
probably other FastStone products too) contains a 3rd party
ZipDll.dll 1.6.0.0 dated 2001-10-28.

This DLL was originally written by Chris Vleghert and Eric W. Engler,
based on InfoZIPs <http://infozip.org> code from 2000.

It is but vulnerable and completely outdated: the current version of
the successor <http://dll.delphizip.org/&gt; is 1.90, the oldest version
(1.78.7.3) listed there is from July 2005, almost 4 years newer than
the DLL distributed with the Faststone image viewer.

According to <http://infozip.org/FAQ.html#corruption&gt; all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.

Vendor was informed via <http://www.faststone.org/contactUs.htm&gt;,
but did not respond at all!

Stefan Kanthak

PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable DLLs/components, so: user beware!

JSON