[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cgiemail 1.6-14 vulnerable to spamming exploit (bug 222870)



On Fri, Jan 23, 2004 at 01:12:48PM +0200, Ian Forbes wrote:
>Hello All
>
>I discovered this morning that our web server has been exploited for the 
>relaying of spam. It has the latest "cgiemail" program distributed with 
>Debian installed on it.

I've setup a temporary form with a 'subject' field to test the possible
vulnerability at:

http://sikuani.its.monash.edu.au/ams/cgiemail.html

The correponding template is at:

http://sikuani.its.monash.edu.au/template/test

The cgiemail version is 1.6-14 (stable).

Is my form similar to the form that you are/were using? If yes, could
you please tell us how to make it relay email?

>First thing I did was disable the cgiemail executable to stop the flow 
>of spam. 
>
>Then I did some research. This is not a totally new scenario. After a 
>little web searching I have found:
>
>1) An open bug report:
>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222870
>
>2) A demonstration of the exploit on bugtraq:
>http://seclists.org/lists/bugtraq/2002/Jun/0151.html
>
>3) A patch which might fix the problem
>http://www.securityfocus.com/archive/1/340174
>
>4) An updated upstream version which may also fix the problem
>http://web.mit.edu/wwwdev/cgiemail/cgiemail-beta.tar.gz
>
>I am not a C expert so I am reluctant to attempt to patch or recompile 
>the thing myself. However maybe somebody out there can help.
>
>Also I get the feeling that cgiemail is past its sell-by date and that 
>we should be looking for an alternative more secure and actively 
>supported program that is distributed with Debian (preferably woody). 
>Any suggestions what we could use?
>
>This wont remove the requirement for us to carry on using cgiemail, many 
>of the pages we host use it. However maybe we should start weaning the 
>webmasters onto something new.
>
>Thanks
>
>Ian
>
>-- 
>Ian Forbes ZSD
>http://www.zsd.co.za
>Office: +27 21 683-1388  Fax: +27 21 674-1106
>Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa

Anibal Monsalve Salazar
--
 .''`.  Debian GNU/Linux      | Building 28C
: :' :  Free Operating System | Monash University VIC 3800
`. `'   http://debian.org/    | Australia
  `-                          |

Attachment: pgpCLl05zmcRX.pgp
Description: PGP signature


Reply to: