cgiemail web-based email system does not adequately validate user input thereby causing buffer overflow in cgisco.c

ID VU:185251
Type cert
Reporter CERT
Modified 2002-01-16T00:00:00



There exists a buffer overflow vulnerability in cgiemail that allows execution of arbitrary code.


cgiemail is a CGI program maintained that composes data submitted on Web forms into email messages. The cgicso.c component of the web-based email system cgiemail contains a buffer overflow vulnerability.


HTTP clients may execute arbitrary code on the web server, with the privileges of the web server process.


The CERT/CC is currently unaware of a practical solution to this problem.

Remove cgiemail from web servers that serve untrusted clients.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Massachusetts Institute of Technology (MIT)| | 19 Oct 2001| 16 Jan 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <>


Thanks to Security Tracker for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: Unknown
  • Date Public: 16 Jan 2002
  • Date First Published: 16 Jan 2002
  • Date Last Updated: 16 Jan 2002
  • Severity Metric: 7.97
  • Document Revision: 10