bugtraq - Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date: Tue, 8 Jun 2010 16:23:09 +1000
From: Patrick Webster <patrick@...hack.com>
To: bugtraq@...urityfocus.com
Subject: Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue

aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 08-Jun-2010

Software:
 Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
 http://www.bluearcgroup.com/

 "With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
  You can create, publish and manage online content across Websites,
  Intranets and Extranets - without the need for design or technical skills."

Versions tested:
 IgnitionSuite Version 3.0

Vulnerability discovered:

 Information Disclosure / Unauthenticated Unsubscription

Vulnerability impact:

	Low - It is possible to systematically unsubscribe all
	      mailing list users without authentication, which
	      reveals their <first> and <last> name.

Vulnerability information:

 Example:

  http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1

  would unsubscribe the user 1 from mailing list 1.

References:
 aushack.com advisory
 http://www.aushack.com/201006-ignitionsuite.txt

Credit:
 Patrick Webster ( patrick@...hack.com )

Disclosure timeline:
 16-Jan-2009 - Discovered during audit.
 18-Jan-2009 - Notified vendor.
 08-Jun-2010 - No response. Disclosure.

EOF