The Removal of cgiemail and cgiecho

Overview

Recently-discovered flaws in the cgiemail and cgiecho scripts have caused cPanel, Inc. to remove support for them in cPanel & WHM. The upstream author of the cgiemail scripts has not provided maintenance in over a decade. While cPanel, Inc. has provided patches for issues and vulnerabilities when we discover them, modern shared hosting environments should not depend on this script.

To remove the cgiemail and cgiecho scripts from your system, perform the correct steps for your version of cPanel & WHM:

• cPanel & WHM version 64 and earlier — Manually remove the cgiemail and cgiecho scripts from the cgi-sys directory and cgi-bin directories. To do this, manually run the /usr/local/cpanel/scripts/clean_cgiemail script.
• cPanel & WHM version 68 — Remove these scripts via the Feature Showcase interface when you log in to WHM. This feature automatically runs the /usr/local/cpanel/scripts/clean_cgiemail script.

The clean_cgiemail script

The /usr/local/cpanel/scripts/clean_cgimail script removes the cpanel-cgiemail RPM from the system. It also removes copies of the cgiemail and cgiecho scripts from users' cgi-bin directories.

To use this script, run the following command:

/usr/local/cpanel/scripts/clean_cgimail [arguments]

Arguments

The /usr/local/cpanel/scripts/clean_cgimail script accepts the following arguments:

Example

For example, run the following command to remove the cpanel-cgiemail RPM and remove the cgiemail script from the username user's home directory:

/usr/local/cpanel/scripts/clean_cgiemail --rpm --docroot --user=username

This command's output will resemble the following example:

info [clean_cgiemail] Removing RPM: cpanel-cgiemail-1.6-5.cp1136.x86_64 ...
info [clean_cgiemail] Success.
info [clean_cgiemail] Removing file: /home/foobar/public_html/cgi-bin/cgiemail ...
info [clean_cgiemail] Success.
info [clean_cgiemail] Found 1 scripts in user docroots.

Additional documentation