InMotion Hosting Support Center

In this article we'll discuss the built-in guestbook.cgi script that is available from cPanel, and how to disable it in case it is causing your website to fail a PCI compliance scan. If you happened to have read our previous article on how to pass PCI compliance scans, the cPanel /cgi-sys/guestbook.cgi script is a common test that will cause a PCI scan to fail for your website.

You can read our article on using cPanel's simple guestbook script to get a good idea of exactly what the guestbook script does and how to use it on your website.

Disabling the cPanel guestbook.cgi script requires two steps, first accessing the Feature Manager in WHM (Web Host Manager) with root access already being setup on your server to disable the feature showing up in cPanel so a user doesn't try to install it and ends up with an error. Then you need to login to your server via SSH as the root user to modify your Apache configuration to prevent the script from being accessible.

You can follow the steps below in order to disable this script so that you can pass a PCI scan that is failing your website for having it enabled.

  1. Log into WHM.
  2. In the Find box type in feature, then click on Feature Manager.
  3. Under the Edit a Feature List drop-down, leave default selected, then click on Edit.
  4. Scroll down the page and un-check Simple Guestbook, then click on Save at the bottom of the page.
  5. You should now see that the default feature list was saved.
  6. Now when viewing the CGI Center in cPanel, you'll notice the Simple GuestBook link is not longer available.
  7. Now to disable the script from being accessible login to your server via SSH.
  8. Make a copy of your current Apache configuration with the following command:

    cp -frp /usr/local/apache/conf/httpd.conf{,.backup}

  9. Now edit your Apache configuration with your favorite text editor, in this example we are using vim.

    vim /usr/local/apache/conf/httpd.conf

    Navigate down to your VirtualHosts section for your domain which should look like the following:

        DocumentRoot /home/dummydom/public_html
        ## User dummydom # Needed for Cpanel::ApacheConf
        <IfModule mod_suphp.c>
            suPHP_UserGroup dummydom dummydom
        <IfModule !mod_disable_suexec.c>
            <IfModule !mod_ruid2.c>
               SuexecUserGroup dummydom dummydom
        <IfModule mod_ruid2.c>
           RUidGid dummydom dummydom
        CustomLog /usr/local/apache/domlogs/ "%{%s}t %I .\n%{%s}t %O ."
        CustomLog /usr/local/apache/domlogs/ combined
        ScriptAlias /cgi-bin/ /home/dummydom/public_html/cgi-bin/
        # To customize this VirtualHost use an include file at the following location
        # Include "/usr/local/apache/conf/userdata/std/2/yourdom/*.conf"

    You'll want to uncomment the following line:

    # Include "/usr/local/apache/conf/userdata/std/2/dummydom/*.conf"

    By placing your cursor over the pound symbol # and hitting Delete on your keyboard:

    Include "/usr/local/apache/conf/userdata/std/2/dummydom/*.conf"

    Now you can save the file by hitting : to enter command mode, and then entering in wq for write and quit.

  10. Next create the Apache include directory with the following command of course using the paths for your account instead of this example one:

    mkdir -p /usr/local/apache/conf/userdata/std/2/dummydom/

  11. Now you'll want to echo the following value into a disable_cgisys.conf file inside that directory you just created:

    echo "ScriptAlias /cgi-sys/ /home/dummydom/public_html/cgi-bin/" > /usr/local/apache/conf/userdata/std/2/dummydom/

  12. Next rebuild the Apache configuration so that the new include path is built-in with the following command:


    You should get back the response:

    Built /usr/local/apache/conf/httpd.conf OK

  13. Now you want to restart Apache using the following command:

    service httpd restart

  14. Finally you'll want to create a symbolic link to handle HTTPS requests as well in case you have an SSL certificate setup on your domain using the following command:

    ln -s /usr/local/apache/conf/userdata/std/2/dummydom/ /usr/local/apache/conf/userdata/ssl/2/dummydom/

    The difference above is the /std/ and /ssl/ part of the path.

  15. Now if you try to view a guestbook page you'll see it is no longer found:

So now that the cPanel guestbook.cgi script is no longer accessible on the server, you should be able to pass a PCI scan that previously had failed your website for having it accessible.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!