Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-869-1 cgiemail

Debian Security Advisory

DLA-869-1 cgiemail -- LTS security update

Date Reported:

24 Mar 2017

Affected Packages:

cgiemail

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 852031.
In Mitre's CVE dictionary: CVE-2017-5613, CVE-2017-5614, CVE-2017-5615, CVE-2017-5616.

More information:

The cPanel Security Team discovered several security vulnerabilities in cgiemail, a CGI program used to create HTML forms for sending mails:

• CVE-2017-5613

  A format string injection vulnerability allowed to supply arbitrary format strings to cgiemail and cgiecho. A local attacker with permissions to provide a cgiemail template could use this vulnerability to execute code as webserver user. Format strings in cgiemail tempaltes are now restricted to simple %s, %U and %H sequences.

• CVE-2017-5614

  An open redirect vulnerability in cgiemail and cgiecho binaries could be exploited by a local attacker to force redirect to an arbitrary URL. These redirects are now limited to the domain that handled the request.

• CVE-2017-5615

  A vulnerability in cgiemail and cgiecho binaries allowed injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this.

• CVE-2017-5616

  Missing escaping of the addendum parameter lead to a reflected cross-site (XSS) vulnerability in cgiemail and cgiecho binaries. The output is now html escaped.

For Debian 7 Wheezy, these problems have been fixed in version 1.6-37+deb7u1.

We recommend that you upgrade your cgiemail packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS