------------------------------------------------------------
input validation error in Subscribe Me Lite v2.01 [28/10/00]
------------------------------------------------------------

teehee just found an input validation error in Subscribe Me
Lite v2.01 (supposedly a "security" update)

http://www.cgiscriptcenter.com/subscribe/index2.html

it seems you can delete ANYONE from the subscription 
database with a simple web browser url call in the form
of http://url.to.victim/cgi-bin/subscribe.pl?victims@email.com

WITHOUT administration password validation :P

if they have the default addresses.txt database file stored
in a world readable location then you can cause a wee bit of
havock on their e-mail list. since it's stored in plain text
db form ;) 

or if you happen to know someone's e-mail who is subscribed
to a Subscribe me Lite v2.01 mailing list you can taunt them
by deleteing they're subscription without they're knowledge.


(version numbers can be identified by just calling the root
of the script name - eg http://url.to.victim/cgi-bin/subscribe.pl
this will show the "administration" login screen which identifys
 the version number)

from tests done so far it *seems* the professional version
is NOT vulnerable to the same exploit.

the tests where done on professional versions 2.034 Beta 5
latest 2.039 but was only successfull on subscribe me lite
v2.01 http://www.cgiscriptcenter.com/subscribe/index2.html


Happy Halloween .. 
Digital Vampire.