Published:2009/04/27  Last Updated:2009/04/28

Web Mailer from CGI RESCUE vulnerable to HTTP header injection


Web Mailer from CGI RESCUE contains a HTTP header injection vulnerability.

Products Affected

  • WEB Mailer v1.03 and earlier


Web Mailer from CGI RESCUE is a software that sends emails with contents that are input into a HTML form. Web Mailer contains a HTTP header injection vulnerability.


Falsified information may be displayed or an arbitrary script may be executed on the user's web browser. HTTP response splitting attacks are also possible as a result.


Update the software
Update to the latest version according to the information provided by the vendor.


JPCERT/CC Addendum

This vulnerability has been fixed and an updated version was released on February 9, 2009.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.04.27

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2009-1591
JVN iPedia JVNDB-2009-000024

Update History