I was caught off guard recently by this post on the official Interspire Forums:
So, a good friend and IEM user decided to contact the person who sent this email to see if he could learn more about the exploit being used.
The sender, who I will refer to as the “hacker” moving forward responded to the inquiry. He is essentially selling a guide to “how to hack IEM” which allows anyone to enter any IEM install and use it as if the user had a system admin account. You can send email, export contacts etc. The price for this valuable hacker guide… $7000.
In doing some searching we found this previous thread in the official Interspire Forum:
So, my friend decided to put it to a test. He asked the hacker to prove it could be done and directed him to an IEM install version 6.1.5. The hacker returned with proof of the results. It was definitive. He had full access to everything in the install.
Next my friend directed him to an IEM install version 6.1.6. The hacker was unable to penetrate.
So there you have it. You had better upgrade to 6.1.6.
My company is using the recommended IEM version 6.1.6. and today someone broke into our panel, by SQL injection, created 2 spam campaigns and managed to send it to all of our contacts. Amazon SES has now blacklisted us and we are waiting for an appeal.
Stay away from Interspire Email Marketer and try other self hosted solutions, the software is full of bugs if you try digging deeper into other solutions they offer, and the ridiculous yearly rip off fee is just not worth it anymore. Totally disappointed.
We are already searching for a new alternative.
Any details on that SQL injection Nick? Anything you can post would be very helpful.
Interspire has had problems with SQL injection long ago, see https://packetstormsecurity.com/files/117201/Interspire-Email-Marketer-6.0.1-XSS-SQL-Injection.html
On the hack mentioned in the article above, latest version 6.1.7, under the changelog very non-specific ‘Fixed several security vulnerabilities’
maybe they meant a fix for this cookie spoofing bug:
https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html
Where do we get 6.1.7 – my account was hacked also.
You can purchase the license directly on interspire.com
Restrict web access to /admin folder with a .access file. That will sort your hacker issue.
Hi,
We’re a little company dedicated to email marketing sending with IEM and we’ve the same issue, we’va hacked and two emails campaigns are sending. Viewing the “Mads” recommendation how can we to restrict to “admin” folder access?
Regards.