InMotion Hosting Support Center

In this article we'll discuss how to disable the cPanel /scgi-bin directory, so that if your website failed a PCI scan due to this being found you can have have it re-scanned and then pass the scan. If you read our previous article on how to pass PCI compliance scans, having the /scgi-bin directory enable is a common way to fail a PCI scan of your website.

A PCI scanning vendor typically picks up on these issues due to the way the /usr/local/cpanel/cgi-sys/scgiwrap script functions. Essentially this script is used to run CGI scripts as the cPanel user, instead of the web-server's nobody user. When a PCI scan is taking place, typically they will attempt to request a wide range of known problematic scripts, in most cases the majority of those scripts won't exist on your website. But with the way the requests are handled the server responds back with a HTTP 200 OK response displaying a page that the script wasn't found, instead of a HTTP 404 Not Found response.

So the PCI scanning company thinks that the actual problematic script is present on the server, when in reality if it was a human looking at the page it could be determined that the problematic script didn't actually exist, and wasn't executed. You can use the steps below to disable access to the /scgi-bin directory so that you can pass a PCI scan. These steps will require having root access to either your VPS or dedicated server.

  1. Login to your server via SSH as the root user.
  2. First make a copy of your cPanel Apache configuration file with the following command:

    cp -frp /var/cpanel/conf/apache/main{.,backup}

    This will create a /var/cpanel/conf/apache/main.backup file for you.

  3. Now you'll want to edit the cPanel Apache configuration file with the following command, in this example we are using the vim text editor:

    vim /var/cpanel/conf/apache/main

  4. When vim is loaded you'll be in edit mode, meaning if you type something it doesn't get inserted into the document.


    We want to look for scgiwrap, so first type in a forward slash / to enter find mode, the cursor will drop to the bottom of the screen, then type in scgiwrap and hit Enter.


    Now you should be dropped directly to the line containing a reference to the scgiwrap script, with that word highlighted.


    Press the Up arrow one time on your keyboard to move above the line highlighted, which should just contain a single dash mark -.


    In vim when you're still in edit mode, you can press dd which is simply pressing the d key twice, to delete a line. So you'll want to delete the 3 lines regarding the scgiwrap script.


    Now type in a colon : to enter command mode, then type in wq for write and quit, the hit Enter

  5. Now you'll want to rebuild the Apache configuration with the following command:


    This should give you back the following response:

    Built /usr/local/apache/conf/httpd.conf OK

  6. Finally restart the Apache service with the following command:

    service httpd restart
  7. Below shows the before and after from turning this off, the first one is with /scgi-bin still being enabled, and the second is with it disabled following the instructions above.

    cgi-sys-access-before cgi-sys-access-after

You should now be able to pass a PCI scan that had previously failed for the /scgi-bin/ directory being accessible.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!