I recently purchased your Autoresponder product and I have one concern. After setting up autoresponder, if you enter the following URLhttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?mode=letters”, the site will allow anyone access to the autoresponder admin console without entering the password. Does anyone know if this is a bug in the program? I cannot publish my site, since this will allow anyone to administer the admin panel and import or export subscriber’s information.
Thanks Sunil. I will try Re-unpacking ar.cgi from the zip. Just a quick note: If I visit the URLhttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?, it will forward me to the admin.html page that will require the correct password. If I bypass the admin.html page by visitinghttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?mode=letters, it will allow access to the admin area without requiring a password. I have attempted this from multiple computers and the result is the same.
I have to sleep now too, but will look at it when I awake
If there is a bug, then I could in principle develop a patch. I suspect the patch would be almost trivial (like one line of code). Because of the license agreement, I think that I may need to get the author's permission to develop and release such a patch.
A quick look around google and on security sites, did not reveal any published exploits for this script (but I may not have found it). If the script was bugged, I would have thought that such an exploit would be listed, since the script is quite widely used, including apparently pre-installed by one particular web host's systems.
I don't think I've heard back from the author of the script
These are the options, I think:
1. You could remove ar.cgi when not using it. This would prevent any access to the admin functions, except when you wanted it. I think the Autoresponder should still work (but I strongly suggest you check it) in this situation
2. I can refund you. ClickBank has a 90 day time limit for online refunds, so you can email me with the receipt number and I'll deal with it, or please email ClickBank direct if we're getting close to the 90 days, or if it's over 90 days, email me and we'll sort something out.
3. We can wait a bit longer to hear from the author. If we're inside the 90 days from #2, and it's not imminent, then you can wait. Or, if it's close to the 90 days, let's do #2 anyway.
Let me know.
If it's frustrating for you. Sorry. It is frustrating for me too, because I know that any problem of this sort can be fixed, even by me (a non Perl expert), if I get the author's permission to do the fix. Without the permission, we are stuck with options 1-3.
Quote: from E Jones on 5:40 am on Jan. 20, 2005[br]I recently purchased your Autoresponder product and I have one concern. After setting up autoresponder, if you enter the following URLhttp://www.yourdomain.com/cgi-bin/autoresponder/ar.cgi?mode=letters”, the site will allow anyone access to the autoresponder admin console without entering the password. Does anyone know if this is a bug in the program? I cannot publish my site, since this will allow anyone to administer the admin panel and import or export subscriber’s information.
Has this issue been resolved yet?
This must be a huuuuuuuge flaw because I know tons of people use this. It does the exact same thing on my server too but I didnt purchase this from you. I just was checking for security issues with it before using it and yes, it is a HUGE issue.
If you found a fix for it please let me know, otherwise maybe we can work on one together if you are still selling this.
We stopped selling the script, because of the problem, and being unable to contact the author for permission to fix it (the License forbids us changing the script).
I seem to remember this particular customer switched to another script
With any business, it is up to the individual owner of said business to ensure the success of the business. You may make more or less than any sample figures or results that might be quoted on our web sites or other publications. All business involves risk, and many businesses do not succeed. Further, Answers 2000 Limited does NOT represent that any particular individual or business is typical, or that any results or experiences achieved by any particular individual/business is necessarily typical.
