Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue

2010-06-1400:00:00

vulners.com

JSON

aushack.com - Vulnerability Advisory

Release Date:
08-Jun-2010

Software:
Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
http://www.bluearcgroup.com/

"With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
You can create, publish and manage online content across Websites,
Intranets and Extranets - without the need for design or technical skills."

Versions tested:
IgnitionSuite Version 3.0

Vulnerability discovered:

Information Disclosure / Unauthenticated Unsubscription

Vulnerability impact:

    Low - It is possible to systematically unsubscribe all
          mailing list users without authentication, which
          reveals their &lt;first&gt; and &lt;last&gt; name.

Vulnerability information:

Example:

http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1

would unsubscribe the user 1 from mailing list 1.

References:
aushack.com advisory
http://www.aushack.com/201006-ignitionsuite.txt

Credit:
Patrick Webster ( [email protected] )

Disclosure timeline:
16-Jan-2009 - Discovered during audit.
18-Jan-2009 - Notified vendor.
08-Jun-2010 - No response. Disclosure.

EOF

JSON