-
Notifications
You must be signed in to change notification settings - Fork 0
/
201006-ignitionsuite.txt
47 lines (32 loc) · 1.17 KB
/
201006-ignitionsuite.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
08-Jun-2010
Software:
Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
http://www.bluearcgroup.com/
"With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
You can create, publish and manage online content across Websites,
Intranets and Extranets - without the need for design or technical skills."
Versions tested:
IgnitionSuite Version 3.0
Vulnerability discovered:
Information Disclosure / Unauthenticated Unsubscription
Vulnerability impact:
Low - It is possible to systematically unsubscribe all
mailing list users without authentication, which
reveals their <first> and <last> name.
Vulnerability information:
Example:
http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1
would unsubscribe the user 1 from mailing list 1.
References:
aushack.com advisory
http://www.aushack.com/201006-ignitionsuite.txt
Credit:
Patrick Webster ( patrick@aushack.com )
Disclosure timeline:
16-Jan-2009 - Discovered during audit.
18-Jan-2009 - Notified vendor.
08-Jun-2010 - No response. Disclosure.
EOF