Massive Security Vulnerability Interspire Email Marketer

I was caught off guard recently by this post on the official Interspire Forums:

harden iem

So, a good friend and IEM user decided to contact the person who sent this email to see if he could learn more about the exploit being used.

The sender, who I will refer to as the “hacker” moving forward responded to the inquiry. He is essentially selling a guide to “how to hack IEM” which allows anyone to enter any IEM install and use it as if the user had a system admin account. You can send email, export contacts etc. The price for this valuable hacker guide… $7000.

In doing some searching we found this previous thread in the official Interspire Forum:

6.1.6 security gap closed

So, my friend decided to put it to a test. He asked the hacker to prove it could be done and directed him to an IEM install version 6.1.5. The hacker returned with proof of the results. It was definitive. He had full access to everything in the install.

Next my friend directed him to an IEM install version 6.1.6. The hacker was unable to penetrate.

So there you have it. You had better upgrade to 6.1.6.

, , , , ,

6 Responses to Massive Security Vulnerability Interspire Email Marketer

  1. Nick September 19, 2017 at 11:22 am #

    My company is using the recommended IEM version 6.1.6. and today someone broke into our panel, by SQL injection, created 2 spam campaigns and managed to send it to all of our contacts. Amazon SES has now blacklisted us and we are waiting for an appeal.

    Stay away from Interspire Email Marketer and try other self hosted solutions, the software is full of bugs if you try digging deeper into other solutions they offer, and the ridiculous yearly rip off fee is just not worth it anymore. Totally disappointed.

    We are already searching for a new alternative.

  2. Frankie October 27, 2017 at 9:15 am #

    Any details on that SQL injection Nick? Anything you can post would be very helpful.

    Interspire has had problems with SQL injection long ago, see https://packetstormsecurity.com/files/117201/Interspire-Email-Marketer-6.0.1-XSS-SQL-Injection.html

    On the hack mentioned in the article above, latest version 6.1.7, under the changelog very non-specific ‘Fixed several security vulnerabilities’

    maybe they meant a fix for this cookie spoofing bug:
    https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html

  3. Nancy Eaton November 1, 2017 at 2:53 pm #

    Where do we get 6.1.7 – my account was hacked also.

    • admin November 5, 2017 at 1:44 pm #

      You can purchase the license directly on interspire.com

  4. Mads February 15, 2018 at 5:06 pm #

    Restrict web access to /admin folder with a .access file. That will sort your hacker issue.

    • Miguel Coria July 5, 2018 at 11:04 pm #

      Hi,

      We’re a little company dedicated to email marketing sending with IEM and we’ve the same issue, we’va hacked and two emails campaigns are sending. Viewing the “Mads” recommendation how can we to restrict to “admin” folder access?

      Regards.

Leave a Reply