TUCoPS :: Web :: CMS / Portals :: b1a-1225.htm

IgnitionSuite CMS WebDMailer unsubscribe issue
Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue
Blue Arc Group - IgnitionSuite CMS WebDMailer unsubscribe issue


aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 08-Jun-2010

Software:
 Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
http://www.bluearcgroup.com/ 

 "With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
  You can create, publish and manage online content across Websites,
  Intranets and Extranets - without the need for design or technical skills."

Versions tested:
 IgnitionSuite Version 3.0

Vulnerability discovered:

 Information Disclosure / Unauthenticated Unsubscription

Vulnerability impact:

	Low - It is possible to systematically unsubscribe all
	      mailing list users without authentication, which
	      reveals their  and  name.

Vulnerability information:

 Example:

http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1 

  would unsubscribe the user 1 from mailing list 1.

References:
 aushack.com advisory
http://www.aushack.com/201006-ignitionsuite.txt 

Credit:
Patrick Webster ( patrick@aushack.com ) 

Disclosure timeline:
 16-Jan-2009 - Discovered during audit.
 18-Jan-2009 - Notified vendor.
 08-Jun-2010 - No response. Disclosure.

EOF

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH