[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

cgiemail 1.6-14 vulnerable to spamming exploit (bug 222870)

Hello All

I discovered this morning that our web server has been exploited for the 
relaying of spam. It has the latest "cgiemail" program distributed with 
Debian installed on it.

First thing I did was disable the cgiemail executable to stop the flow 
of spam. 

Then I did some research. This is not a totally new scenario. After a 
little web searching I have found:

1) An open bug report:

2) A demonstration of the exploit on bugtraq:

3) A patch which might fix the problem

4) An updated upstream version which may also fix the problem

I am not a C expert so I am reluctant to attempt to patch or recompile 
the thing myself. However maybe somebody out there can help.

Also I get the feeling that cgiemail is past its sell-by date and that 
we should be looking for an alternative more secure and actively 
supported program that is distributed with Debian (preferably woody). 
Any suggestions what we could use?

This wont remove the requirement for us to carry on using cgiemail, many 
of the pages we host use it. However maybe we should start weaning the 
webmasters onto something new.



Ian Forbes ZSD
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa

Reply to: