Bugtraq mailing list archives
Re: Subscribe Me CGI Vulnerability
From: CGI Script Center Support <support () cgiscriptcenter com>
Date: Wed, 23 Aug 2000 10:01:15 -0700
Hello, Thank you for bringing the below problem to our attention. In the interests of protecting the users of programs, it always helps to know this information prior to it becoming public, so that those users have time to upgrade. We have no problem with such problems being disclosed publicly, other than the obvious security ramifications for users. I hope the respective tracking companies will consider the ramifications prior to posting this information. The below problem was solved with a simple check for an existing password file in the sub setpwd routine: if (-e "$passfile/password.txt") { print "Content-type: text/html\n\n"; print "Password already exists. Please delete your password file manually if you want to reset your password<BR>"; exit; } The affected programs have already been fixed and updated, and the new downloads are already available. Thanks, once again, for bringing these problems to our attention.
Product: Subscribe Me Versions: All version number, LITE only Vendor: Notified, http://www.cgiscriptcenter.com/ The Problem: Once again a remote user can alter the Admin Password for the Subscribe Me Admin Control Panel. Allowing a user to add and remove ppl from the list as well as initiate a mailling with a message body of their choice. Exploit: See the html attachment included. Patches: There should be one shortly after they fix Account Manager :) n30 n30 () alldas de << CGI Script Center Support support () cgiscriptcenter com -----Original Message----- From: n30 [mailto:n30 () alldas de] Sent: Wednesday, August 23, 2000 3:08 PM To: cgi () elitehost com; bugtraq () securityfocus com; gov-boi () hack co za; submissions () packetstorm securify com; trib () alldas de Subject: Subscribe Me CGI Vulnerability Product: Subscribe Me Versions: All version number, LITE only Vendor: Notified, http://www.cgiscriptcenter.com/ The Problem: Once again a remote user can alter the Admin Password for the Subscribe Me Admin Control Panel. Allowing a user to add and remove ppl from the list as well as initiate a mailling with a message body of their choice. Exploit: See the html attachment included. Patches: There should be one shortly after they fix Account Manager :) n30 n30 () alldas de
Attachment:
sublite20.zip
Description:
Current thread:
- Re: Subscribe Me CGI Vulnerability CGI Script Center Support (Aug 25)