There exists a buffer overflow vulnerability in cgiemail that allows execution of arbitrary code.
cgiemail is a CGI program maintained that composes data submitted on Web forms into email messages. The cgicso.c component of the web-based email system cgiemail contains a buffer overflow vulnerability.
HTTP clients may execute arbitrary code on the web server, with the privileges of the web server process.
The CERT/CC is currently unaware of a practical solution to this problem.
Remove cgiemail from web servers that serve untrusted clients.
Vendor| Status| Date Notified| Date Updated
Massachusetts Institute of Technology (MIT)| | 19 Oct 2001| 16 Jan 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Security Tracker for reporting this vulnerability.
This document was written by Shawn Van Ittersum.