Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below.

2000-12-13T00:00:00
ID SECURITYVULNS:DOC:1057
Type securityvulns
Reporter Securityvulns
Modified 2000-12-13T00:00:00

Description

note : This is not apparent in the commercial versions, (tested on three different versions ) the author was notified and appropriate changes have since been made.

product page -

http://www.cgiscriptcenter.com/subscribe/index2.html

vendor notice -

Security Advisory:

Users of Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT, update today to protect your Subscribe Me Lite from outside access to your administration panel.

[Full disclosure]

yes thats right, the malicious user can cause somewhat considerable damage to a subscribe me lite mailing list if you are using versions 1.0 - 2.0 Unix or 1.0 - 2.0 NT a simple web browser pre-formatted call, can allow an attacker to delete ANY user from the list in the form of

http://url.to.victim.com/subscribe.pl?some@email.com

The user will be deleted from the list without any kind of verification whatsoever.

The vendor has updated with this information, please update yours.

Thanks Tom (Digital Vampire)

IC-CRYPT.com // Enhancing communications since 1998