OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below.
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Tue Dec 12 2000 - 19:25:37 CST


Subject: Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 -
2.0 NT and below.

note : This is not apparent in the commercial versions, (tested on three
different versions )
the author was notified and appropriate changes have since been made.

product page -

http://www.cgiscriptcenter.com/subscribe/index2.html

vendor notice -

Security Advisory:

Users of Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT, update today to
protect your Subscribe Me Lite from outside access to your administration
panel.

[Full disclosure]

yes thats right, the malicious user can cause somewhat considerable damage
to a subscribe me lite
mailing list if you are using versions 1.0 - 2.0 Unix or 1.0 - 2.0 NT a
simple web browser pre-formatted
call, can allow an attacker to delete ANY user from the list in the form of

email.com">http://url.to.victim.com/subscribe.pl?someemail.com

The user will be deleted from the list without any kind of verification
whatsoever.

The vendor has updated with this information, please update yours.

Thanks
Tom (Digital Vampire)

IC-CRYPT.com // Enhancing communications since 1998

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net