cgiemail web-based email system does not adequately validate user input thereby causing buffer overflow in cgisco.c

2002-01-16T00:00:00
ID VU:185251
Type cert
Reporter CERT
Modified 2002-01-16T00:00:00

Description

Overview

There exists a buffer overflow vulnerability in cgiemail that allows execution of arbitrary code.

Description

cgiemail is a CGI program maintained that composes data submitted on Web forms into email messages. The cgicso.c component of the web-based email system cgiemail contains a buffer overflow vulnerability.


Impact

HTTP clients may execute arbitrary code on the web server, with the privileges of the web server process.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Remove cgiemail from web servers that serve untrusted clients.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Massachusetts Institute of Technology (MIT)| | 19 Oct 2001| 16 Jan 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://securitytracker.com/alerts/2001/Sep/1002395.html>
  • <http://web.mit.edu/wwwdev/cgiemail/>

Credit

Thanks to Security Tracker for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: Unknown
  • Date Public: 16 Jan 2002
  • Date First Published: 16 Jan 2002
  • Date Last Updated: 16 Jan 2002
  • Severity Metric: 7.97
  • Document Revision: 10