Package: cgiemail Version: 1.6-14 Severity: important Tags: security Contrary to instructions given during installation, /etc/cgiemail.conf is not being consulted. I installed with a default of /var/www/templates, and this was duly put in the configuration file. I noticed that the existing template files which were *not* within /var/www/templates did not stop working. To test this I changed the /etc/cgiemail.conf to templatedir="/home/tmh", and observed that the template files in the webspace were still honoured - meaning the templatedir option is non-functional in this release.
Moreover, trying to open /cgi-bin/cgiemail/cgi-bin/cgiemail proved that it was attempting to read files in the cgi-bin directory - exactly the vulnerablility that the templatedir parameter is supposed to stop. Just to test, I deleted /etc/cgiemail.conf, and cgiemail refused to run, so I'm definately running the correct binary (this machine didn't previously have cgiemail installed). -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux sisko 2.4.19-rc3-ac3 #1 Sun Aug 4 14:38:02 BST 2002 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages cgiemail depends on: ii debconf 1.1.32 Debian configuration management sy ii libc6 2.2.5-14.1 GNU C Library: Shared libraries an -- debconf information excluded