Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
Is there a way to find all pages that use cgiemail? It would be a great service to all of us if someone could find them all and email the webmasters to inform them of the spammer hijacking risk and possible fixes.
Posted by: Carl Manaster at October 17, 2003 10:23 PM"Is there a way to find all pages that use cgiemail?" Not that I'm aware of offhand. Search engine cataloging of the usage of cgiemail is spotty at best, since most of the search engines avoid a lot of dynamic content and/or cgi scripts. Most ISPs are (or should be) on various security mailing lists that have discussed this issue. It's quite common to find cgiemail on ISP provided web hosts, and if they're on top of things, they'll be aware of the problem. Certainly they will be if they get hijacked.
Leo
Posted by: Leo at October 17, 2003 10:46 PMWell, by default there's a header field enabled:
"X-Mailer: cgiemail "
If one personally doesn't expect to recieve mail generated by a web form (which, if one doesn't have a website with such a form, is a pretty safe bet) one can add a filter to block mails coming with that particular header.
That's an individual, and not systematic, solution, however. I myself prefer FormMail because the source is more easily modifiable, and you don't have to compile it.
Posted by: Kit Peters at October 18, 2003 8:16 AMFor the record: tmail.pl is in Perl, and once you download it it's easy to modify and you can do so to your heart's content.
Leo
Posted by: LeoN at October 18, 2003 10:39 PMHello,
It has been brought to my attention that tmail is exploitable. I am in the process of working out with my SA where the problem lies, please feel free to contact me via telephone at 407.445.3033x2167. I am available from 4PM-12AM tuesday through saturday.
A poorly designed template can still be exploited. Do let me know if you find out something more.
Posted by: Leo at July 20, 2004 2:34 PMDoes anyone have a "patched" copy of cgiemail that I can simply ftp upload to my server to overwrite my existing one? I am not a "c" programmer and don't have a compiler either.
Any help is appreciated.
Posted by: Larry at November 2, 2004 5:27 AMDon't know if there is one, but this would be the place to start looking: http://web.mit.edu/wwwdev/cgiemail/
Posted by: Leo at November 2, 2004 1:32 PMHello,
I would like to use tmail.pl but my hosting service does not support it. They say to use the NET::SMTP component, as opposed to Sendmail.
Do you know what that means and how I get around it?
Thanks
Maryann
Thanks for this script, Leo. The only problem that I am having is getting the prefix "required-" to work. I must be missing something, but if the form has a field input name "required-firstName" and the template has [required-firstName] one can still send the form without filing in the first name field.
Other than that, it works great and I love the new parameter prefixes. Thanks.
Rick
Posted by: Rick at July 6, 2008 9:12 AM
Subscribe to the RSS Feed for comments on this article.
To post a comment on "A spammer is using my cgiemail, what do I do?", please return to that article's main page.