This article aims to guide readers on how to disable the cPanel /scgi-bin directory in order to pass a PCI compliance scan. The /scgi-bin directory is a common reason for failed scans and is typically detected by PCI scanning vendors due to the way the /usr/local/cpanel/cgi-sys/scgiwrap script operates. This script allows CGI scripts to be run as the cPanel user rather than the web-server’s nobody user.
During a PCI scan, a range of known problematic scripts is requested, most of which are not present on the website being scanned. However, due to the way requests are handled, the server responds with a HTTP 200 OK response displaying a page stating that the script was not found instead of a HTTP 404 Not Found response. This can mislead the scanning company into thinking that the problematic script is present on the server, when in fact it does not exist and has not been executed.
To avoid this issue, it is recommended to disable access to the /scgi-bin directory. The following steps are required to do so, and root access to either a VPS or dedicated server is necessary.
- Login to your server via SSH as the root user.
- First, make a copy of your cPanel Apache configuration file with the following command: cp -frp /var/cpanel/conf/apache/main{., backup}This will create a /var/cpanel/conf/apache/main. backup file for you.
- Now you’ll want to edit the cPanel Apache configuration file with the following command, in this example we are using the vim text editor:
vim /var/cpanel/conf/apache/main
When vim is loaded you’ll be in edit mode, meaning if you type something it doesn’t get inserted into the document.
We want to look for scgiwrap, so first type in a forward slash / to enter find mode, the cursor will drop to the bottom of the screen, then type in scgiwrap and hit Enter.
Now you should be dropped directly to the line containing a reference to the scgiwrap script, with that word highlighted.
Press the Up arrow one time on your keyboard to move above the line highlighted, which should just contain a single dash mark –.
In vim when you’re still in edit mode, you can press dd which is simply pressing the d key twice, to delete a line. So you’ll want to delete the 3 lines regarding the scgiwrap script.
Now type in a colon : to enter command mode, then type in wq for write and quit, the hit Enter
- Now you’ll want to rebuild the Apache configuration with the following command:
/scripts/rebuildhttpdconfThis should give you back the following response:Built /usr/local/apache/conf/httpd.conf OK - Finally restart the Apache service with the following command:
service httpd restart - Below shows the before and after from turning this off, the first one is with /scgi-bin still being enabled, and the second is with it disabled following the instructions above.
You should now be able to pass a PCI scan that had previously failed for the /scgi-bin/ directory being accessible.
