PDA

View Full Version : CGIEmail no longer supported



dmenese
05-31-2004, 09:12 AM
I received an email from Westhost telling me that due to security issues I should change my cgiemail-based forms to Formmail.

My questions are:

How much time I have to perform that changes?
Anyone of you received similar emails?
What if I don't have time to change those forms? Will Westhost disable cgiemail anyway?

Regards,
Diego Menese.

jalal
05-31-2004, 11:13 AM
Everybody who had a copy of cgiemail on their server got the email I think. It was installed by default on the old WH1 servers and when sites were upgraded it was copied over, even if it was never used.

In the email it said that if you have any questions you can contact support and they will help you out.

HTH

wildjokerdesign
05-31-2004, 01:01 PM
Diego Menese,

Jalal is correct everyone who had it on thier old accounts got the email. It is best if you do disable it even if you do not have time to switch over at this time. It could well be used by a spammer to send out spam and if that happens it is possible that your site could be affected. It only takes about 5 mins to set up either the WH supplied formmail or the newer NMS FormMail.

Happy to give you some help if you need it.

dmenese
05-31-2004, 01:43 PM
But I already setup up permissions for the owner only (not the groups nor others).

Very often I can see some logs trying to access cgiemail; but they always receive a 404 error.

Is then necessary to change these scripts?!?!?!

wildjokerdesign
05-31-2004, 03:19 PM
Well the authors of the script are no longer around and the last update on the "official" cgiemail site was 12/20/2002 http://web.mit.edu/wwwdev/cgiemail/ It does not even address the current security problem. I did find some more information on the security risk.
http://www.securitytracker.com/alerts/2002/Jun/1004549.html
Also found some links that claim to have a fix for it.
http://www.securityfocus.com/archive/1/340174
http://www.securityfocus.com/archive/1/340174

I think you have to decide if you want to take the risk of haveing a spammer relay through your site. You might also want to check out the post here on the forum of a user that had a problem with it.
http://forums.westhost.com/phpBB2/viewtopic.php?t=1945

For me it would have taken more time to make sure it is secure then to simply switch. I was also already using FormMail on all sites but the one I had forgotten about so it was simply a matter of switching that one and removeing the program from the other sites.

dmenese
06-03-2004, 07:36 AM
Thank you very much Wild Joker. I'll try to make the changes asap since these security issues seem a big problem.

Regards,
Diego.

rhodan
07-17-2004, 04:40 AM
I just got slammed from this security flaw in cgiemail. I had 3,000 emails bounced back to me from aol.com and I have no idea how many emailes were in fact sent through my system. My suggestion is to destroy anything that is related to cgiemail on your accounts. I never knew it was installed and in fact only a few files were installed on my account.

Here is my post about it: http://forums.westhost.com/phpBB2/viewtopic.php?t=2072&highlight=cgiemail