[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cgiemail 1.6-14 vulnerable to spamming exploit (bug 222870)

On Fri, Jan 23, 2004 at 01:12:48PM +0200, Ian Forbes wrote:
>Hello All
>I discovered this morning that our web server has been exploited for the 
>relaying of spam. It has the latest "cgiemail" program distributed with 
>Debian installed on it.

I've setup a temporary form with a 'subject' field to test the possible
vulnerability at:


The correponding template is at:


The cgiemail version is 1.6-14 (stable).

Is my form similar to the form that you are/were using? If yes, could
you please tell us how to make it relay email?

>First thing I did was disable the cgiemail executable to stop the flow 
>of spam. 
>Then I did some research. This is not a totally new scenario. After a 
>little web searching I have found:
>1) An open bug report:
>2) A demonstration of the exploit on bugtraq:
>3) A patch which might fix the problem
>4) An updated upstream version which may also fix the problem
>I am not a C expert so I am reluctant to attempt to patch or recompile 
>the thing myself. However maybe somebody out there can help.
>Also I get the feeling that cgiemail is past its sell-by date and that 
>we should be looking for an alternative more secure and actively 
>supported program that is distributed with Debian (preferably woody). 
>Any suggestions what we could use?
>This wont remove the requirement for us to carry on using cgiemail, many 
>of the pages we host use it. However maybe we should start weaning the 
>webmasters onto something new.
>Ian Forbes ZSD
>Office: +27 21 683-1388  Fax: +27 21 674-1106
>Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa

Anibal Monsalve Salazar
 .''`.  Debian GNU/Linux      | Building 28C
: :' :  Free Operating System | Monash University VIC 3800
`. `'   http://debian.org/    | Australia
  `-                          |

Attachment: pgpCLl05zmcRX.pgp
Description: PGP signature

Reply to: