Subscribe Me Pro unknown script allows directory traversal
| subscribemepro-unknown-directory-traversal (22249) |  Low Risk |
Description:
Subscribe Me Pro could allow a remote attacker to traverse directories on the system. A remote attacker could send a specially-crafted URL request to unknown scripts containing "dot dot" sequences (../) to traverse directories and view files outside of the root directory.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of Subscribe Me Pro (2.050.01P or later), available from the Subscribe Me Pro Web site. See References.
References:
- Full-Disclosure Mailing List: Tue Sep 13 2005 - 08:41:34 CDT: Subscribe Me Pro 2.044.09P and prior Directory Traversal Vulnerability (Updated).
- Subscribe Me Professional Web site: SiteInteractive.com - Subscribe Me Professional.
- BID-14817: Subscribe Me Pro S.PL Remote Directory Traversal Vulnerability
- CVE-2005-2952: Directory traversal vulnerability in s.pl in Subscribe Me Pro 2.044.09P and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the l parameter.
- SA16796: Subscribe Me Pro "l" Parameter Directory Traversal Vulnerability
Platforms Affected:
- SiteInteractive Subscribe Me Pro 2.044.09P
Reported:
Sep 13, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net