Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Cgiemail Vendors:   MIT
(Unofficial Patch is Available) Re: Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System
SecurityTracker Alert ID:  1007997
SecurityTracker URL:
CVE Reference:   CVE-2002-1575   (Links to External Site)
Updated:  Feb 11 2004
Original Entry Date:  Oct 24 2003
Impact:   Host/resource access via network
Fix Available:  Yes  

Description:   An input validation vulnerability was reported in 'cgiemail'. A remote user may be able to create a specially crafted URL to cause the system to send unauthorized mail via the system.

It is reported that cgiemail contains an input validation flaw that lets remote users relay mail via the server.

According to the report, the software does not filter the new line code ('%0A') from user-supplied URLs. A remote user can reportedly use a predefined variable and add the '%0a' string and additional fields that will be interpreted by sendmail.

A demonstration exploit example is provided:



Impact:   A remote user can send arbitrary e-mail to user-specified addresses via cgiemail.
Solution:   A user has provided an unofficial patch [available in the Source Message].
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 17 2002 Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System

 Source Message Contents

Subject:  patch for vulnerability in cgiemail

Recently we've seen a marked rise in attempts to exploit the bug in MIT's
cgiemail that's documented here:

Appended below is a quick patch to the cgilib.c file of the distribution,
designed to prevent abuse of the program.

Basically, it attempts to strip all non-printable characters (maybe a little
heavy-handed) from form input that's incorporated into the headers of the
resulting email.  It doesn't strip them from the body (assuming there's a
blank line between the two for it to make the distinction).


Matt Riffle
Senior Systems Programmer         
pair Networks, Inc.


< int noheader; // flag for when we exit template's header - MPR
< int flag;     // flag used to find split to set above flag - MPR
< /* MPR - 9/30/03 */
< void strip_nonprint(char *s) {
<   while (*s) {
<     if (!isprint(*s)) *s = ' ';
<     s++;
<   }
< }
<   char *myptr;
<   int count;
<           if (!noheader) 
<             {
<               strip_nonprint(formp->fields[i].value);
<             }
<           /* when flag hits 2, we're out of headers -- MPR */
<           if (flag >= 2) 
<             {
<               noheader = 1;
<             }
<               flag++;
<           if ((inchar != (int)' ') && (inchar != (int)'\n'))
<             {
<               flag = 0; 
<              } 
<           else 
<             {
<               if (inchar == (int)'\n') flag++;
<             }


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC