Bug#160813: cgiemail:/etc/cgiemail.conf is not consulted

["Tony Hoyle" <tmh@nodomain.org>]

Package: cgiemail
Version: 1.6-14
Severity: important
Tags: security

Contrary to instructions given during installation, /etc/cgiemail.conf
is not being consulted.  I installed with a default of /var/www/templates,
and this was duly put in the configuration file.  I noticed that the existing template files which were *not* within /var/www/templates did not stop working.  To test this I changed the /etc/cgiemail.conf to templatedir="/home/tmh", and observed that the template files in the webspace were still honoured - meaning the templatedir option is non-functional in this release.

Moreover, trying to open /cgi-bin/cgiemail/cgi-bin/cgiemail proved that it was attempting to read files in the cgi-bin directory - exactly the vulnerablility that the templatedir parameter is supposed to stop.

Just to test, I deleted /etc/cgiemail.conf, and cgiemail refused to run, so I'm definately running the correct binary (this machine didn't previously have cgiemail installed).

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux sisko 2.4.19-rc3-ac3 #1 Sun Aug 4 14:38:02 BST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages cgiemail depends on:
ii  debconf                       1.1.32     Debian configuration management sy
ii  libc6                         2.2.5-14.1 GNU C Library: Shared libraries an

-- debconf information excluded