ShopSite Knowledgebase

ShopSite tellfriend.cgi used for sending spam emails

PRODUCT: ShopSite Manager and Pro
VERSION: v8.0 through 11 r1.1
PLATFORM: ALL

We’ve recently had reports that the Tell A Friend feature is being used by 3^rd parties to send spam.  We recommend that merchants with this feature enabled do the following:

• If using ShopSite Manager or Pro version 10 sp1 or greater (including ShopSite 10 sp2 and ShopSite 11) then under Merchandising > Social Media > Share with Friends select the “Share with Friends” radio button instead of the “Tell a Friend” option.
•  If using ShopSite Manager or Pro versions 8 through 10  then under Merchandising > Tell a Friend disable the Tell a Friend feature.

If you are a hosting provider, besides telling your merchants to do the above your other options are:

• Block the IP being used to access the tellafriend.cgi.  Currently the IP being used is 112.202.38.30
• Automatically switch off tellafriend or switch to Share with Friends.  To do this in v10 sp1 stores and greater edit the sbdata.aa file found in the store’s data directory and set the "tellfriend_enabled:" token to “0” to disable it or to “2” to set it to Share with Friends.  For example:

                 tellfriend_enabled: 0
         
           In v10 stores and earlier set “tellfriend_enabled:” to no value instead of “checked.”  For example:
                
                 tellfriend_enabled:

• Apply the patches, if available for your ShopSite version. If using an order ShopSite version, upgrade to a newer version of ShopSite where patches are available to resolve this. You can also remove the tellafriend.cgi, if necessary, it will not interfere with the order process or affect merchants who are already using the newer Share With Friends feature (10 sp1 and newer).
  

Patches for ShopSite 11 r1 that automatically switches from the Tell A Friend feature (if enabled) to Share With Friends and removes the Tell A Friend feature from ShopSite are now available for the Linux, FreeBSD, and Solaris SPARC operating systems and can be found on the ShopSite partner FTP site in the [operating_system]/11-r1/patch/ directories.

Patches for ShopSite 10 sp2 r2 that automatically switches from the Tell A Friend feature (if enabled) to Share With Friends and removes the Tell A Friend feature from ShopSite are now available for the Linux operating system, and can be found on the ShopSite partner FTP site in the linux/10-sp2r2/patch/ directory.

The patch files consist of a new tellfriend.cgi (replace the file of the same name in the 'sc' or 'sb' CGI directory), tellfriend_conf.cgi, and libsscommon.so.1 (both of which should replace the files of the same name in the 'ss' or 'bo' CGI directory). When using FTP to transfer these patch files make sure your FTP client is using Binary mode for the transfer.


If you are a merchant you do not need to apply these patches, as you can just disable the Tell A Friend feature in the ShopSite backoffice (see above).

Related Articles

No related articles were found.

Attachments

No attachments were found.

Visitor Comments