Blue Arc Group - IgnitionSuite Web Content Management System Information Disclosure / Unauthenticated Unsubscription
Release Date:
08-Jun-2010
Software:
Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
http://www.bluearcgroup.com/
"With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
You can create, publish and manage online content across Websites,
Intranets and Extranets - without the need for design or technical skills."
Versions tested:
IgnitionSuite Version 3.0
Vulnerability discovered:
Information Disclosure / Unauthenticated Unsubscription
Vulnerability impact:
Low - It is possible to systematically unsubscribe all
mailing list users without authentication, which
reveals their <first> and <last> name.
Vulnerability information:
Example:
http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1
would unsubscribe the user 1 from mailing list 1.
Credit:
Patrick Webster
Disclosure timeline:
16-Jan-2009 - Discovered during audit.
18-Jan-2009 - Notified vendor.
08-Jun-2010 - No response. Disclosure.
08-Jun-2010
Software:
Blue Arc Group - IgnitionSuite Web Content Management System (CMS)
http://www.bluearcgroup.com/
"With IgnitionSuite Web CMS, easy to use tools are at your fingertips.
You can create, publish and manage online content across Websites,
Intranets and Extranets - without the need for design or technical skills."
Versions tested:
IgnitionSuite Version 3.0
Vulnerability discovered:
Information Disclosure / Unauthenticated Unsubscription
Vulnerability impact:
Low - It is possible to systematically unsubscribe all
mailing list users without authentication, which
reveals their <first> and <last> name.
Vulnerability information:
Example:
http://[site]/IgnitionSuite/external/WebDmailUnsubscribe.aspx?l=1&s=1
would unsubscribe the user 1 from mailing list 1.
Credit:
Patrick Webster
Disclosure timeline:
16-Jan-2009 - Discovered during audit.
18-Jan-2009 - Notified vendor.
08-Jun-2010 - No response. Disclosure.
