cgiemail 1.6-14 vulnerable to spamming exploit (bug 222870)
Hello All
I discovered this morning that our web server has been exploited for the
relaying of spam. It has the latest "cgiemail" program distributed with
Debian installed on it.
First thing I did was disable the cgiemail executable to stop the flow
of spam.
Then I did some research. This is not a totally new scenario. After a
little web searching I have found:
1) An open bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222870
2) A demonstration of the exploit on bugtraq:
http://seclists.org/lists/bugtraq/2002/Jun/0151.html
3) A patch which might fix the problem
http://www.securityfocus.com/archive/1/340174
4) An updated upstream version which may also fix the problem
http://web.mit.edu/wwwdev/cgiemail/cgiemail-beta.tar.gz
I am not a C expert so I am reluctant to attempt to patch or recompile
the thing myself. However maybe somebody out there can help.
Also I get the feeling that cgiemail is past its sell-by date and that
we should be looking for an alternative more secure and actively
supported program that is distributed with Debian (preferably woody).
Any suggestions what we could use?
This wont remove the requirement for us to carry on using cgiemail, many
of the pages we host use it. However maybe we should start weaning the
webmasters onto something new.
Thanks
Ian
--
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388 Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
Reply to: