Subscribe Me LITE Status: Admin Password Set Vulnerability Exploit

n30

Please enter the NEW Admin Pass: .

password
confirmation

To Use Modify Source To Point to subscribe.pl on TARGET Server

mail-me
Product: Subscribe Me
Versions: All version number, LITE only
Vendor: Notified, http://www.cgiscriptcenter.com/

The Problem:

    Once again a remote user can alter the Admin Password for the Subscribe Me
Admin Control Panel. Allowing a user to add and remove ppl from the list as well
as initiate a mailling with a message body of their choice.

Exploit:
 
    See the html attachment included.
 
Patches:
    
    There should be one shortly after they fix Account Manager :)
 

n30@alldas.de