eBook authors eBook Software - create and publish your own ebooks
Create your own eBooks
 
   
EBookApprentice.com
Learn How To Create, Publish & Market E-Books
 
   
EBookCompiler.com
E-Book Creation Software
 
   
EBookPower.com
Add sophisticated multimedia to your E-Books
 
   
CoverFactory.com
Create E-Book covers in minutes
 
 
  EBookSubmit.com
E-Book Marketing & Promotion made easy
 
  EBookJungle.com
Search engine for E-Books
 
  EBookInterviews.com
Interviews with eBook authors
 
  EBookEnhance.com
Tools for building better eBooks
 
 
 
Archived Message:

Autoresponder Unlimited

 »Autoresponder Unlimited Security
 
E Jones I recently purchased your Autoresponder product and I have one concern. After setting up autoresponder, if you enter the following URLhttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?mode=letters”, the site will allow anyone access to the autoresponder admin console without entering the password. Does anyone know if this is a bug in the program? I cannot publish my site, since this will allow anyone to administer the admin panel and import or export subscriber’s information.

Posted on: 5:40 am on January 20, 2005
EBookCompiler It's a third party product, so I don't know the answer off the top of my head.

Let me check the docs, etc, and try to contact the author (who I have previously corresponded with via email) and get back to you.

I'll try to be as quick as possible, but I can't promise an immediate answer


Posted on: 4:24 am on January 22, 2005
EBookCompiler While I'm not disputing your report, I would be very grateful, if you could you please double check including:

1. Re-unpacking ar.cgi from the zip (in case you have lost a character etc)

2. Checking you have set a password in the config

3. Email me or post specific instructions to replicate the problem, if it is not 100% obvious how to do it.

In the meantime, I will continue to investigate, and try to get as soon as possible, although, as I say, I can't promise immediately.


Posted on: 4:57 am on January 22, 2005
E Jones Thanks Sunil. I will try Re-unpacking ar.cgi from the zip. Just a quick note: If I visit the URLhttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?, it will forward me to the admin.html page that will require the correct password. If I bypass the admin.html page by visitinghttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?mode=letters, it will allow access to the admin area without requiring a password. I have attempted this from multiple computers and the result is the same.

Again Thanks


Posted on: 5:38 am on January 22, 2005
EBookCompiler I had to edit some comments I made above.

I have to sleep now too, but will look at it when I awake

If there is a bug, then I could in principle develop a patch. I suspect the patch would be almost trivial (like one line of code). Because of the license agreement, I think that I may need to get the author's permission to develop and release such a patch.

A quick look around google and on security sites, did not reveal any published exploits for this script (but I may not have found it). If the script was bugged, I would have thought that such an exploit would be listed, since the script is quite widely used, including apparently pre-installed by one particular web host's systems.


Posted on: 5:47 am on January 22, 2005
EBookCompiler I don't think I've heard back from the author of the script

These are the options, I think:

1. You could remove ar.cgi when not using it. This would prevent any access to the admin functions, except when you wanted it. I think the Autoresponder should still work (but I strongly suggest you check it) in this situation

2. I can refund you.  ClickBank has a 90 day time limit for online refunds, so you can email me with the receipt number and I'll deal with it, or please email ClickBank direct if we're getting close to the 90 days, or if it's over 90 days, email me and we'll sort something out.

3. We can wait a bit longer to hear from the author.  If we're inside the 90 days from #2, and it's not imminent, then you can wait.  Or, if it's close to the 90 days, let's do #2 anyway.

Let me know.

If it's frustrating for you. Sorry. It is frustrating for me too, because I know that any problem of this sort can be fixed, even by me (a non Perl expert), if I get the author's permission to do the fix.  Without the permission, we are stuck with options 1-3.


Posted on: 4:22 pm on February 1, 2005
Ryan


Quote: from E Jones on 5:40 am on Jan. 20, 2005[br]I recently purchased your Autoresponder product and I have one concern. After setting up autoresponder, if you enter the following URLhttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?mode=letters”, the site will allow anyone access to the autoresponder admin console without entering the password. Does anyone know if this is a bug in the program? I cannot publish my site, since this will allow anyone to administer the admin panel and import or export subscriber’s information.

Has this issue been resolved yet?

This must be a huuuuuuuge flaw because I know tons of people use this.  It does the exact same thing on my server too but I didnt purchase this from you.  I just was checking for security issues with it before using it and yes, it is a HUGE issue.

If you found a fix for it please let me know, otherwise maybe we can work on one together if you are still selling this.


Posted on: 3:11 pm on December 20, 2005
EBookCompiler We stopped selling the script, because of the problem, and being unable to contact the author for permission to fix it (the License forbids us changing the script).

I seem to remember this particular customer switched to another script

You may find this link (links to other CGI autoresponders) helpful
http://www.ezineblast.com/cgi_email_auto.php


Posted on: 9:32 am on December 21, 2005
Ryan Thank you very much!  I will take a look at this.

Posted on: 11:15 am on December 21, 2005
TomRasi05 If there is a bug, then I could in principle develop a patch. I suspect the patch would be almost trivial (like one line of code). Because of the license agreement, I think that I may need to get the author's permission to develop and release such a patch.

*************
Atlanta plumbing company


Posted on: 12:24 pm on May 9, 2013

Go to Active Discussion Thread

Participate in Current/New Discussions

List All Archived Forums



Copyright © 2000-2015, Answers 2000 Limited.

With any business, it is up to the individual owner of said business to ensure the success of the business. You may make more or less than any sample figures or results that might be quoted on our web sites or other publications. All business involves risk, and many businesses do not succeed. Further, Answers 2000 Limited does NOT represent that any particular individual or business is typical, or that any results or experiences achieved by any particular individual/business is necessarily typical.

Disclosure: Our company's websites' content (including this website's content) includes advertisements for our own company's websites, products, and services, and for other organization's websites, products, and services. In the case of links to other organization's websites, our company may receive a payment, (1) if you purchase products or services, or (2) if you sign-up for third party offers, after following links from this website. Unless specifically otherwise stated, information about other organization's products and services, is based on information provided by that organization, the product/service vendor, and/or publicly available information - and should not be taken to mean that we have used the product/service in question. Additionally, our company's websites contain some adverts which we are paid to display, but whose content is not selected by us, such as Google AdSense ads. For more detailed information, please see Advertising/Endorsements Disclosures

Our sites use cookies, some of which may already be set on your computer. Use of our site constitutes consent for this. For details, please see Privacy.

Contact Us    About and Terms Of Use    Privacy    Advertising/Endorsements Disclosures