Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

A spammer is using my cgiemail, what do I do?

A spammer is using my cgiemail, what do I do?

Cgiemail is a program developed by
folks over at MIT. It’s a CGI or server-side program designed to
accept input from an HTML form, process that input against a
template, and send the results as email. Recently, a
vulnerability has been discovered that allows spammers to use
cgiemail to send mail “through” the system on which cgiemail
resides. This results in increased and sometimes overwhelming
system load as well as the potential for spam to be sent in
your name.

Become a Patron of Ask Leo! and go ad-free!

More details on the specifics of cgiemail’s vulnerability
can be found here on
SecurityFocus.com.

Step one is easy: disable the existing cgiemail on your
system. Move it out of your cgi-bin directory or its
equivalent or take away its execute status. Forms using it
will now no longer work.

There is no official, or at least timely, support from MIT
for cgiemail. However various folks
have patched or fixed the exploit individually. One example for
those that have the source code (it’s part of the distribution
available at MIT) is provided here.

Aside from replacing cgiemail with a patched or updated version
the only real alternative is to find or build an alternative. One
of the more popular is called FormMail.

I wanted something that was a little closer to a plug-in
replacement for cgiemail to minimize changes to either the
forms that use it or the templates used. I wrote tmail.pl
which while not quite as full featured as cgiemail, tackles
common cgiemail-like templates with more of an eye to
security.

The major differences that tmail.pl introduces are:

  • Template parameters are required by default. Unless
    explicitly stated otherwise, it generates an error if a
    parameter is used in a template but not present in the form’s
    input.
  • A new type of parameter has been created: “email”. When a
    template indicates that a parameter is of type email, some
    rudimentary checks are made to ensure that the entered data is in
    fact somewhat like a valid email address.
  • Additional restrictions can be placed on a parameter.
    Specifically the value can be scanned for newlines (the source
    of the current exploit). If one is found an error results.

In addition, tmail.pl is a Perl script and takes an additional
form parameter which is the name of the template. The template is
typically found relative to the location of the Perl script so
they can be moved to the cgibin directory where they are not
directly readable by site visitors.

tmail.pl can be downloaded
here.

Subscribe to Confident Computing! Tech problem solving & safety tips with a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here's the direct download. (Just right-click and "Save As...".)

11 comments on “A spammer is using my cgiemail, what do I do?”

  1. Is there a way to find all pages that use cgiemail? It would be a great service to all of us if someone could find them all and email the webmasters to inform them of the spammer hijacking risk and possible fixes.

    Reply
  2. “Is there a way to find all pages that use cgiemail?” Not that I’m aware of offhand. Search engine cataloging of the usage of cgiemail is spotty at best, since most of the search engines avoid a lot of dynamic content and/or cgi scripts. Most ISPs are (or should be) on various security mailing lists that have discussed this issue. It’s quite common to find cgiemail on ISP provided web hosts, and if they’re on top of things, they’ll be aware of the problem. Certainly they will be if they get hijacked.

    Leo

    Reply
  3. Well, by default there’s a header field enabled:

    “X-Mailer: cgiemail “

    If one personally doesn’t expect to recieve mail generated by a web form (which, if one doesn’t have a website with such a form, is a pretty safe bet) one can add a filter to block mails coming with that particular header.

    That’s an individual, and not systematic, solution, however. I myself prefer FormMail because the source is more easily modifiable, and you don’t have to compile it.

    Reply
  4. Hello,
    It has been brought to my attention that tmail is exploitable. I am in the process of working out with my SA where the problem lies, please feel free to contact me via telephone at 407.445.3033×2167. I am available from 4PM-12AM tuesday through saturday.

    Reply
  5. Does anyone have a “patched” copy of cgiemail that I can simply ftp upload to my server to overwrite my existing one? I am not a “c” programmer and don’t have a compiler either.

    Any help is appreciated.

    Reply
  6. Hello,

    I would like to use tmail.pl but my hosting service does not support it. They say to use the NET::SMTP component, as opposed to Sendmail.

    Do you know what that means and how I get around it?

    Thanks
    Maryann

    Reply
  7. Thanks for this script, Leo. The only problem that I am having is getting the prefix “required-” to work. I must be missing something, but if the form has a field input name “required-firstName” and the template has [required-firstName] one can still send the form without filing in the first name field.

    Other than that, it works great and I love the new parameter prefixes. Thanks.

    Rick

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.