A friend and customer recently made a discovery about Interspire Email Marketer that is concerning. He already shared the details on the official customer forum but I’m reposting here.
Wanted to let you all know that IEM, even the current version 6.1.7, has an XSS (cross-site scripting) vulnerability that could allow anyone to use your IEM site’s install as a way to do malicious things like trick people into downloading malware, ransomware, etc.
Unfortunately my attempts to display actual example code of this in this forum editor actually are causing the issue, so I can’t paste it in without breaking it apart. But if you make a URL from your base IEM installation and add in “?page=>” you can then add code to run some JavaScript code in the URL itself.
http://yourIEMdomainhere.com/admin/index.php?page=”>
+
an opening bracket “<“
+
some JS code to do something
+
a closing bracket “>”and you’ll get a JavaScript pop up, but you shouldn’t. This vulnerability allows someone to create a shortened link to your IEM site using something like Bitly and use it to trick unsuspecting users into downloading something bad without them even knowing.
This vulnerability does not put your IEM install data or control at risk, it means your IEM install can be used to exploit others. If you are not concerned about your IEM instance being used to exploit others, then ignore this posting.
I am fairly technical but not actually a programmer so I don’t fully understand this vulnerability… but my colleagues who are told me that this stems from the fact that IEM is not properly quoting data entered by the user when reflecting it back to them. Specifically, it comes from the %%PAGE%% substitutions they are doing without quoting %%PAGE%%. This is present in a number of pages across the software, but the worst offenders are
admin/com/templates/login.tpl
admin/com/templates/forgotpassword.tplI reported it to IEM support and they mentioned they already had it in their internal bug tracker, so hopefully they fix it in a release coming soon. In the meantime if you want to fix yourself, comment out the culprit form tag and re-write it excluding the “%%PAGE%%” parameter. For example in “admin/com/templates/login.tpl”