Helping people with computers... one answer at a time.
Cgiemail is a program that many websites use to send email. Unfortunately certain versions can be abused by spammers, and you get the blame.
A spammer is using my cgiemail, what do I do?
•
Cgiemail is a program developed by folks over at MIT. It's a CGI or server-side program designed to accept input from an HTML form, process that input against a template, and send the results as email. Recently, a vulnerability has been discovered that allows spammers to use cgiemail to send mail "through" the system on which cgiemail resides. This results in increased and sometimes overwhelming system load as well as the potential for spam to be sent in your name.
•
More details on the specifics of cgiemail's vulnerability can be found here on SecurityFocus.com.
Step one is easy: disable the existing cgiemail on your system. Move it out of your cgi-bin directory or its equivalent or take away its execute status. Forms using it will now no longer work.
There is no official, or at least timely, support from MIT for cgiemail. However various folks have patched or fixed the exploit individually. One example for those that have the source code (it's part of the distribution available at MIT) is provided here.
Aside from replacing cgiemail with a patched or updated version the only real alternative is to find or build an alternative. One of the more popular is called FormMail.
I wanted something that was a little closer to a plug-in replacement for cgiemail to minimize changes to either the forms that use it or the templates used. I wrote tmail.pl which while not quite as full featured as cgiemail, tackles common cgiemail-like templates with more of an eye to security.
The major differences that tmail.pl introduces are:
- Template parameters are required by default. Unless explicitly stated otherwise, it generates an error if a parameter is used in a template but not present in the form's input.
- A new type of parameter has been created: "email". When a template indicates that a parameter is of type email, some rudimentary checks are made to ensure that the entered data is in fact somewhat like a valid email address.
- Additional restrictions can be placed on a parameter. Specifically the value can be scanned for newlines (the source of the current exploit). If one is found an error results.
In addition, tmail.pl is a Perl script and takes an additional form parameter which is the name of the template. The template is typically found relative to the location of the Perl script so they can be moved to the cgibin directory where they are not directly readable by site visitors.
tmail.pl can be downloaded here.
Article C1850 - October 14, 2003
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Does anyone have a "patched" copy of cgiemail that I can simply ftp upload to my server to overwrite my existing one? I am not a "c" programmer and don't have a compiler either.
Any help is appreciated.
Posted by: Larry at November 2, 2004 5:27 AMDon't know if there is one, but this would be the place to start looking: http://web.mit.edu/wwwdev/cgiemail/
Posted by: Leo at November 2, 2004 1:32 PMHello,
I would like to use tmail.pl but my hosting service does not support it. They say to use the NET::SMTP component, as opposed to Sendmail.
Do you know what that means and how I get around it?
Thanks
Posted by: Maryann at November 28, 2006 2:44 PMMaryann
Thanks for this script, Leo. The only problem that I am having is getting the prefix "required-" to work. I must be missing something, but if the form has a field input name "required-firstName" and the template has [required-firstName] one can still send the form without filing in the first name field.
Other than that, it works great and I love the new parameter prefixes. Thanks.
Rick
Posted by: Rick at July 6, 2008 9:12 AMFor a real solution that introduces an optical security feature bundled in a PHP program that is easily implemented and thoroughly documented FOR FREE, go to:
http://www.dagondesign.com/articles/secure-php-form-mailer-script
Regarding question: Is there a way to find all pages that use cgiemail?
Well, the simple way would be to remove all permissions from the cgi-script...then they will come to you when it no longer works!
Posted by: Brian at January 3, 2009 7:16 AM