BugTraq
patch for vulnerability in cgiemail Oct 03 2003 05:58PM
Matt Riffle (matt pair com)

Recently we've seen a marked rise in attempts to exploit the bug in MIT's
cgiemail that's documented here:

http://www.securitytracker.com/alerts/2002/Jun/1004549.html

Appended below is a quick patch to the cgilib.c file of the distribution,
designed to prevent abuse of the program.

Basically, it attempts to strip all non-printable characters (maybe a little
heavy-handed) from form input that's incorporated into the headers of the
resulting email. It doesn't strip them from the body (assuming there's a
blank line between the two for it to make the distinction).

Regards,

Matt Riffle
------------------------O----------------------
Senior Systems Programmer
pair Networks, Inc. http://www.pair.com/
------------------------O----------------------

--

31,40d30
< int noheader; // flag for when we exit template's header - MPR
< int flag; // flag used to find split to set above flag - MPR
<
< /* MPR - 9/30/03 */
< void strip_nonprint(char *s) {
< while (*s) {
< if (!isprint(*s)) *s = ' ';
< s++;
< }
< }
432,433d421
< char *myptr;
< int count;
439,442d426
< if (!noheader)
< {
< strip_nonprint(formp->fields[i].value);
< }
554,558d537
< /* when flag hits 2, we're out of headers -- MPR */
< if (flag >= 2)
< {
< noheader = 1;
< }
564d542
< flag++;
567,574d544
< if ((inchar != (int)' ') && (inchar != (int)'\n'))
< {
< flag = 0;
< }
< else
< {
< if (inchar == (int)'\n') flag++;
< }
1192d1161
<

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus