cgiemail 1.6-14 vulnerable to spamming exploit (bug 222870)
I discovered this morning that our web server has been exploited for the
relaying of spam. It has the latest "cgiemail" program distributed with
Debian installed on it.
First thing I did was disable the cgiemail executable to stop the flow
Then I did some research. This is not a totally new scenario. After a
little web searching I have found:
1) An open bug report:
2) A demonstration of the exploit on bugtraq:
3) A patch which might fix the problem
4) An updated upstream version which may also fix the problem
I am not a C expert so I am reluctant to attempt to patch or recompile
the thing myself. However maybe somebody out there can help.
Also I get the feeling that cgiemail is past its sell-by date and that
we should be looking for an alternative more secure and actively
supported program that is distributed with Debian (preferably woody).
Any suggestions what we could use?
This wont remove the requirement for us to carry on using cgiemail, many
of the pages we host use it. However maybe we should start weaning the
webmasters onto something new.
Ian Forbes ZSD
Office: +27 21 683-1388 Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa