In this article we’ll discuss the built-in guestbook.cgi script that is available from cPanel, and how to disable it in case it is causing your website to fail a PCI compliance scan. If you happened to have read our previous article on how to pass PCI compliance scans, the cPanel /cgi-sys/guestbook.cgi script is a common test that will cause a PCI scan to fail for your website.
Disabling the cPanel guestbook.cgi script requires two steps, first accessing the Feature Manager in WHM (Web Host Manager) with root access already being setup on your server to disable the feature showing up in cPanel so a user doesn’t try to install it and ends up with an error. Then you need to login to your server via SSH as the root user to modify your Apache configuration to prevent the script from being accessible.
You can follow the steps below in order to disable this script so that you can pass a PCI scan that is failing your website for having it enabled.
- Log into WHM.
- In the Find box type in feature, then click on Feature Manager.
- Under the Edit a Feature List drop-down, leave default selected, then click on Edit.
- Scroll down the page and un-check Simple Guestbook, then click on Save at the bottom of the page.
- You should now see that the default feature list was saved.
- Now when viewing the CGI Center in cPanel, you’ll notice the Simple GuestBook link is no longer available.
- Now to disable the script from being accessible log into your server via SSH.
- Make a copy of your current Apache configuration with the following command:
cp -frp /usr/local/apache/conf/httpd.conf{,.backup}
- Now edit your Apache configuration with your favorite text editor, in this example we are using vim.
vim /usr/local/apache/conf/httpd.conf
Navigate down to your VirtualHosts section for your domain which should look like the following:
<VirtualHost 123.123.123.123:80> ServerName example.com ServerAlias www.example.com DocumentRoot /home/dummydom/public_html ServerAdmin [email protected] ## User dummydom # Needed for Cpanel::ApacheConf <IfModule mod_suphp.c> suPHP_UserGroup dummydom dummydom </IfModule> <IfModule !mod_disable_suexec.c> <IfModule !mod_ruid2.c> SuexecUserGroup dummydom dummydom </IfModule> </IfModule> <IfModule mod_ruid2.c> RUidGid dummydom dummydom </IfModule> CustomLog /usr/local/apache/domlogs/example.com-bytes_log "%{%s}t %I .\n%{%s}t %O ." CustomLog /usr/local/apache/domlogs/example.com combined ScriptAlias /cgi-bin/ /home/dummydom/public_html/cgi-bin/ # To customize this VirtualHost use an include file at the following location # Include "/usr/local/apache/conf/userdata/std/2/yourdom/example.com/*.conf" </VirtualHost>
You’ll want to uncomment the following line:
# Include "/usr/local/apache/conf/userdata/std/2/dummydom/example.com/*.conf"
By placing your cursor over the pound symbol # and hitting Delete on your keyboard:
Include "/usr/local/apache/conf/userdata/std/2/dummydom/example.com/*.conf"
Now you can save the file by hitting : to enter command mode, and then entering in wq for write and quit.
- Next create the Apache include directory with the following command of course using the paths for your account instead of this example one:
mkdir -p /usr/local/apache/conf/userdata/std/2/dummydom/example.com/
- Now you’ll want to echo the following value into a disable_cgisys.conf file inside that directory you just created:
echo "ScriptAlias /cgi-sys/ /home/dummydom/public_html/cgi-bin/" > /usr/local/apache/conf/userdata/std/2/dummydom/example.com/disable_cgisys.conf
- Next rebuild the Apache configuration so that the new include path is built-in with the following command:
/scripts/rebuildhttpdconf
You should get back the response:
Built /usr/local/apache/conf/httpd.conf OK
- Now you want to restart Apache using the following command:
service httpd restart
- Finally you’ll want to create a symbolic link to handle HTTPS requests as well in case you have an SSL certificate setup on your domain using the following command:
ln -s /usr/local/apache/conf/userdata/std/2/dummydom/example.com/disable_cgisys.conf /usr/local/apache/conf/userdata/ssl/2/dummydom/example.com/disable_cgisys.conf
The difference above is the /std/ and /ssl/ part of the path.
- Now if you try to view a guestbook page you’ll see it is no longer found:
So now that the cPanel guestbook.cgi script is no longer accessible on the server, you should be able to pass a PCI scan that previously had failed your website for having it accessible. If you run into any other issues in your scan, please note that it is possible to disable other cPanel features that might pose potential risks or compliance concerns.