<<< Date Index >>>     <<< Thread Index >>>

patch for vulnerability in cgiemail



Recently we've seen a marked rise in attempts to exploit the bug in MIT's
cgiemail that's documented here:

  http://www.securitytracker.com/alerts/2002/Jun/1004549.html

Appended below is a quick patch to the cgilib.c file of the distribution,
designed to prevent abuse of the program.

Basically, it attempts to strip all non-printable characters (maybe a little
heavy-handed) from form input that's incorporated into the headers of the
resulting email.  It doesn't strip them from the body (assuming there's a
blank line between the two for it to make the distinction).

Regards,

Matt Riffle
------------------------O----------------------
Senior Systems Programmer         
pair Networks, Inc.        http://www.pair.com/
------------------------O----------------------

--

31,40d30
< int noheader; // flag for when we exit template's header - MPR
< int flag;     // flag used to find split to set above flag - MPR
< 
< /* MPR - 9/30/03 */
< void strip_nonprint(char *s) {
<   while (*s) {
<     if (!isprint(*s)) *s = ' ';
<     s++;
<   }
< }
432,433d421
<   char *myptr;
<   int count;
439,442d426
<           if (!noheader) 
<             {
<               strip_nonprint(formp->fields[i].value);
<             }
554,558d537
<           /* when flag hits 2, we're out of headers -- MPR */
<           if (flag >= 2) 
<             {
<               noheader = 1;
<             }
564d542
<               flag++;
567,574d544
<           if ((inchar != (int)' ') && (inchar != (int)'\n'))
<             {
<               flag = 0; 
<              } 
<           else 
<             {
<               if (inchar == (int)'\n') flag++;
<             }
1192d1161
<