tom_picklesHOTMAIL.COM

• Next message: Darren Reed: "Re: Killing ircds via DNS"
• Previous message: krisCITUSC.USC.EDU: "Re: Vulnerabilities in KTH Kerberos IV"
• In reply to: Chris Mason: "Re: Killing ircds via DNS"
• Next in thread: David Luyer: "Re: Killing ircds via DNS"
• Reply: Tom Pickles: "Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

note : This is not apparent in the commercial versions, (tested on three
different versions )
the author was notified and appropriate changes have since been made.

product page -

http://www.cgiscriptcenter.com/subscribe/index2.html

vendor notice -

Security Advisory:

Users of Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT, update today to
protect your Subscribe Me Lite from outside access to your administration
panel.

[Full disclosure]

yes thats right, the malicious user can cause somewhat considerable damage
to a subscribe me lite
mailing list if you are using versions 1.0 - 2.0 Unix or 1.0 - 2.0 NT a
simple web browser pre-formatted
call, can allow an attacker to delete ANY user from the list in the form of

email.com">http://url.to.victim.com/subscribe.pl?someemail.com

The user will be deleted from the list without any kind of verification
whatsoever.

The vendor has updated with this information, please update yours.

Thanks
Tom (Digital Vampire)

IC-CRYPT.com // Enhancing communications since 1998

• Next message: Darren Reed: "Re: Killing ircds via DNS"
• Previous message: krisCITUSC.USC.EDU: "Re: Vulnerabilities in KTH Kerberos IV"
• In reply to: Chris Mason: "Re: Killing ircds via DNS"
• Next in thread: David Luyer: "Re: Killing ircds via DNS"
• Reply: Tom Pickles: "Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]