In this article we'll discuss the built-in guestbook.cgi script that is available from cPanel, and how to disable it in case it is causing your website to fail a PCI compliance scan. If you happened to have read our previous article on how to pass PCI compliance scans, the cPanel /cgi-sys/guestbook.cgi script is a common test that will cause a PCI scan to fail for your website.

You can read our article on using cPanel's simple guestbook script to get a good idea of exactly what the guestbook script does and how to use it on your website.

Disabling the cPanel guestbook.cgi script requires two steps, first accessing the Feature Manager in WHM (Web Host Manager) with root access already being setup on your server to disable the feature showing up in cPanel so a user doesn't try to install it and ends up with an error. Then you need to login to your server via SSH as the root user to modify your Apache configuration to prevent the script from being accessible.

You can follow the steps below in order to disable this script so that you can pass a PCI scan that is failing your website for having it enabled.

  1. Log into WHM.
  2. In the Find box type in feature, then click on Feature Manager.
    whm-click-on-feature-manager
  3. Under the Edit a Feature List drop-down, leave default selected, then click on Edit.
    whm-feature-manager-click-on-edit
  4. Scroll down the page and un-check Simple Guestbook, then click on Save at the bottom of the page.
    whm-feature-manager-uncheck-guestbook-click-save
  5. You should now see that the default feature list was saved.
    whm-feature-manager-saved
  6. Now when viewing the CGI Center in cPanel, you'll notice the Simple GuestBook link is not longer available.
    cpanel-cgi-center-minus-guestbook
  7. Now to disable the script from being accessible login to your server via SSH.
  8. Make a copy of your current Apache configuration with the following command:

    cp -frp /usr/local/apache/conf/httpd.conf{,.backup}

  9. Now edit your Apache configuration with your favorite text editor, in this example we are using vim.

    vim /usr/local/apache/conf/httpd.conf

    Navigate down to your VirtualHosts section for your domain which should look like the following:

    <VirtualHost 123.123.123.123:80>
        ServerName yourdomain.com
        ServerAlias www.yourdomain.com
        DocumentRoot /home/dummydom/public_html
        ServerAdmin webmaster@yourdomain.com
        ## User dummydom # Needed for Cpanel::ApacheConf
        <IfModule mod_suphp.c>
            suPHP_UserGroup dummydom dummydom
        </IfModule>
        <IfModule !mod_disable_suexec.c>
            <IfModule !mod_ruid2.c>
               SuexecUserGroup dummydom dummydom
            </IfModule>
        </IfModule>
        <IfModule mod_ruid2.c>
           RUidGid dummydom dummydom
        </IfModule>
        CustomLog /usr/local/apache/domlogs/yourdomain.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
        CustomLog /usr/local/apache/domlogs/yourdomain.com combined
        ScriptAlias /cgi-bin/ /home/dummydom/public_html/cgi-bin/
        # To customize this VirtualHost use an include file at the following location
        # Include "/usr/local/apache/conf/userdata/std/2/yourdom/yourdomain.com/*.conf"
    </VirtualHost>
    

    You'll want to uncomment the following line:

    # Include "/usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/*.conf"

    By placing your cursor over the pound symbol # and hitting Delete on your keyboard:

    Include "/usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/*.conf"

    Now you can save the file by hitting : to enter command mode, and then entering in wq for write and quit.

  10. Next create the Apache include directory with the following command of course using the paths for your account instead of this example one:

    mkdir -p /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/

  11. Now you'll want to echo the following value into a disable_cgisys.conf file inside that directory you just created:

    echo "ScriptAlias /cgi-sys/ /home/dummydom/public_html/cgi-bin/" > /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/disable_cgisys.conf

  12. Next rebuild the Apache configuration so that the new include path is built-in with the following command:

    /scripts/rebuildhttpdconf

    You should get back the response:

    Built /usr/local/apache/conf/httpd.conf OK

  13. Now you want to restart Apache using the following command:

    service httpd restart

  14. Finally you'll want to create a symbolic link to handle HTTPS requests as well in case you have an SSL certificate setup on your domain using the following command:

    ln -s /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/disable_cgisys.conf /usr/local/apache/conf/userdata/ssl/2/dummydom/yourdomain.com/disable_cgisys.conf

    The difference above is the /std/ and /ssl/ part of the path.

  15. Now if you try to view a guestbook page you'll see it is no longer found:
    guestbook-cgi-not-found

So now that the cPanel guestbook.cgi script is no longer accessible on the server, you should be able to pass a PCI scan that previously had failed your website for having it accessible.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Support Center:
Email Address
Optional, but our team may contact you for more information.
Like this Article?

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Write New!
Do you want to publish a tutorial to our support center?

News / Announcements

SSL Certficate Warnings
Updated 2014-04-14 11:34 am EST
Hits: 2218
Heartbleed 0-day OpenSSL security bug
Updated 2014-04-14 04:43 pm EST
Hits: 5640

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!