漏洞类别:CGI
漏洞等级: 
漏洞信息
Interspire Email Marketer is an email marketing software that allows you to create, send and track email marketing.
The function that checks whether the user is already logged in the init.php source file allows remote attackers to bypass authentication and obtain administrative access by using a crafted IEM_CookieLogin cookie.
Versions Affected:
Interspire Email Marketer (IEM) prior to 6.1.6
QID Detection Logic:
This unauthenticated QID detects the vulnerability in the following ways
1. Transmits a request with crafted IRM_CookieLogin value to gain access to the administrative console on a affected system confirming the vulnerability.
2. If the above is not possible, the QID simply detects the version exposed on the /admin/index.php webpage.
漏洞危害
Successful exploitation allows an unauthenticated, remote attacker to bypass authentication and gain administrative access on a targeted system.
解决方案
Customers are advised to upgrade to IEM 6.1.6 or later versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论