[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Subscribe Me Lite 1.0 - 2.0 Unix and NT vulnerability

Title: Subscribe Me Lite 1.0 - 2.0 Unix and NT vulnerability
Released by: Tom Pickles
Date: 12th December 2000
Printable version: Click here
note : This is not apparent in the commercial versions, (tested on three

different versions )

the author was notified and appropriate changes have since been made.





product page -



http://www.cgiscriptcenter.com/subscribe/index2.html





vendor notice -



Security Advisory:



Users of Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT, update today to

protect your Subscribe Me Lite from outside access to your administration

panel.



[Full disclosure]



yes thats right, the malicious user can cause somewhat considerable damage

to a subscribe me lite

mailing list if you are using versions 1.0 - 2.0 Unix or 1.0 - 2.0 NT a

simple web browser pre-formatted

call, can allow an attacker to delete ANY user from the list in the form of



http://url.to.victim.com/subscribe.pl?some@email.com



The user will be deleted from the list without any kind of verification

whatsoever.



The vendor has updated with this information, please update yours.



Thanks

Tom  (Digital Vampire)



IC-CRYPT.com // Enhancing communications since 1998








(C) 1999-2000 All rights reserved.