------------------------------------------------------------ input validation error in Subscribe Me Lite v2.01 [28/10/00] ------------------------------------------------------------ teehee just found an input validation error in Subscribe Me Lite v2.01 (supposedly a "security" update) http://www.cgiscriptcenter.com/subscribe/index2.html it seems you can delete ANYONE from the subscription database with a simple web browser url call in the form of http://url.to.victim/cgi-bin/subscribe.pl?victims@email.com WITHOUT administration password validation :P if they have the default addresses.txt database file stored in a world readable location then you can cause a wee bit of havock on their e-mail list. since it's stored in plain text db form ;) or if you happen to know someone's e-mail who is subscribed to a Subscribe me Lite v2.01 mailing list you can taunt them by deleteing they're subscription without they're knowledge. (version numbers can be identified by just calling the root of the script name - eg http://url.to.victim/cgi-bin/subscribe.pl this will show the "administration" login screen which identifys the version number) from tests done so far it *seems* the professional version is NOT vulnerable to the same exploit. the tests where done on professional versions 2.034 Beta 5 latest 2.039 but was only successfull on subscribe me lite v2.01 http://www.cgiscriptcenter.com/subscribe/index2.html Happy Halloween .. Digital Vampire.