Subscribe Me
------------

CVE Number: 
None

Details:
The subscribe.pl cgi script was found on the system. This is used by 
Subscribe Me, a mailing list script. Early versions of Subscribe Me allowed
remote attackers to overwrite the password file with their own. All versions
use "security by obscurity" to protect the password file (the documents
suggest moving it to a "non-web" directory). Some versions still allow an
attacker to delete ANY user from the list.

Fix:
It is recommended that the file be removed from the system, or upgrade to the
latest version of the program.

Related URLs:
http://archives.neohapsis.com/archives/bugtraq/2000-08/0292.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0297.html
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0120.html
http://www.cgiscriptcenter.com/subscribe/

$Id: sub-me,v 1.2 2001/01/04 18:45:05 loveless Exp $
