[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue



aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 08-Jun-2010

Software:
 Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
 http://www.bluearcgroup.com/

 "With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
  You can create, publish and manage online content across Websites,
  Intranets and Extranets - without the need for design or technical skills."

Versions tested:
 IgnitionSuite Version 3.0

Vulnerability discovered:

 Information Disclosure / Unauthenticated Unsubscription

Vulnerability impact:

	Low - It is possible to systematically unsubscribe all
	      mailing list users without authentication, which
	      reveals their <first> and <last> name.

Vulnerability information:

 Example:

  http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1

  would unsubscribe the user 1 from mailing list 1.

References:
 aushack.com advisory
 http://www.aushack.com/201006-ignitionsuite.txt

Credit:
 Patrick Webster ( patrick@xxxxxxxxxxx )

Disclosure timeline:
 16-Jan-2009 - Discovered during audit.
 18-Jan-2009 - Notified vendor.
 08-Jun-2010 - No response. Disclosure.

EOF