The Removal of cgiemail and cgiecho
Last modified: February 21, 2020
Recently-discovered flaws in the
cgiecho scripts have caused cPanel, L.L.C. to remove support for them in cPanel & WHM. The upstream author of the
cgiemail scripts has not provided maintenance in over a decade. While cPanel, L.L.C. has provided patches for issues and vulnerabilities when we discover them, modern shared hosting environments should not depend on this script.
To remove the
cgiecho scripts from your system, perform the correct steps for your version of cPanel & WHM:
cPanel & WHM version 64 and earlier — Manually remove the
cgiechoscripts from the
cgi-bindirectories. To do this, manually run the
cPanel & WHM version 68 — Remove these scripts via the Feature Showcase interface when you log in to WHM. This feature automatically runs the
The clean cgiemail script
/usr/local/cpanel/scripts/clean_cgimail script removes the
cpanel-cgiemail RPM from the system. It also removes copies of the
cgiecho scripts from users’
To use this script, run the following command:
/usr/local/cpanel/scripts/clean_cgimail script accepts the following options:
--rpm— Remove the
--docroot— Remove the
cgiemailscripts from users’ home directories.
--user=username— Remove the
cgiemailscript from only the username user’s home directory.Note:Use this argument with the
--dryrun— Only view a list of files that the script will remove.
--notify— Send a notification to the system administrator when the script runs.
For example, run the following command to remove the
cpanel-cgiemail RPM and remove the
cgiemail script from the username user’s home directory:
/usr/local/cpanel/scripts/clean_cgiemail --rpm --docroot --user=username
This command’s output will resemble the following example: