In this article we'll discuss how to disable the cPanel /scgi-bin directory, so that if your website failed a PCI scan due to this being found you can have have it re-scanned and then pass the scan. If you read our previous article on how to pass PCI compliance scans, having the /scgi-bin directory enable is a common way to fail a PCI scan of your website.

A PCI scanning vendor typically picks up on these issues due to the way the /usr/local/cpanel/cgi-sys/scgiwrap script functions. Essentially this script is used to run CGI scripts as the cPanel user, instead of the web-server's nobody user. When a PCI scan is taking place, typically they will attempt to request a wide range of known problematic scripts, in most cases the majority of those scripts won't exist on your website. But with the way the requests are handled the server responds back with a HTTP 200 OK response displaying a page that the script wasn't found, instead of a HTTP 404 Not Found response.

So the PCI scanning company thinks that the actual problematic script is present on the server, when in reality if it was a human looking at the page it could be determined that the problematic script didn't actually exist, and wasn't executed. You can use the steps below to disable access to the /scgi-bin directory so that you can pass a PCI scan. These steps will require having root access to either your VPS or dedicated server.

  1. Login to your server via SSH as the root user.
  2. First make a copy of your cPanel Apache configuration file with the following command:

    cp -frp /var/cpanel/conf/apache/main{.,backup}

    This will create a /var/cpanel/conf/apache/main.backup file for you.

  3. Now you'll want to edit the cPanel Apache configuration file with the following command, in this example we are using the vim text editor:

    vim /var/cpanel/conf/apache/main

  4. When vim is loaded you'll be in edit mode, meaning if you type something it doesn't get inserted into the document.

    vim-editing-apache-edit-mode

    We want to look for scgiwrap, so first type in a forward slash / to enter find mode, the cursor will drop to the bottom of the screen, then type in scgiwrap and hit Enter.

    vim-editing-apache-find-mode

    Now you should be dropped directly to the line containing a reference to the scgiwrap script, with that word highlighted.

    vim-editing-apache-find-results

    Press the Up arrow one time on your keyboard to move above the line highlighted, which should just contain a single dash mark -.

    vim-editing-apache-press-up

    In vim when you're still in edit mode, you can press dd which is simply pressing the d key twice, to delete a line. So you'll want to delete the 3 lines regarding the scgiwrap script.

    vim-editing-apache-delete-lines

    Now type in a colon : to enter command mode, then type in wq for write and quit, the hit Enter

    vim-editing-apache-save
  5. Now you'll want to rebuild the Apache configuration with the following command:

    /scripts/rebuildhttpdconf

    This should give you back the following response:

    Built /usr/local/apache/conf/httpd.conf OK

  6. Finally restart the Apache service with the following command:

    service httpd restart
  7. Below shows the before and after from turning this off, the first one is with /scgi-bin still being enabled, and the second is with it disabled following the instructions above.

    cgi-sys-access-before cgi-sys-access-after

You should now be able to pass a PCI scan that had previously failed for the /scgi-bin/ directory being accessible.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Support Center:
Email Address
Optional, but our team may contact you for more information.
Like this Article?

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Write New!
Do you want to publish a tutorial to our support center?

News / Announcements

SSL Certficate Warnings
Updated 2014-04-14 11:34 am EST
Hits: 2004
Heartbleed 0-day OpenSSL security bug
Updated 2014-04-14 04:43 pm EST
Hits: 5276

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!