This article will cover the cPanel guestbook.cgi script, its potential impact on PCI compliance scans, and how to disable it. If you’ve read our previous article on passing PCI compliance scans, you’ll know that the cPanel /cgi-sys/guestbook.cgi script is a common culprit for failing these scans.
If you’re not familiar with the guestbook script, you can check out our article on using cPanel’s simple guestbook script for an overview.
Disabling the guestbook.cgi script involves two steps. First, you’ll need to access the Feature Manager in WHM with root access to prevent the feature from showing up in cPanel, which could lead to users inadvertently installing it and triggering errors. Next, you’ll need to log in to your server via SSH as the root user and modify your Apache configuration to block access to the script.
Follow the steps outlined below to disable the guestbook.cgi script and ensure that your website passes a PCI compliance scan.
To disable the cPanel guestbook.cgi script, follow these steps:
- Log in to WHM and search for “feature” in the Find box. Click on Feature Manager.
- Under Edit a Feature List, leave default selected and click Edit. Uncheck Simple Guestbook, then click Save.
- To prevent the script from being accessible, log in to your server via SSH and copy your current Apache configuration using the command: “cp -frp /usr/local/apache/conf/httpd.conf{,.backup}”
- Edit your Apache configuration using your preferred text editor, such as vim.
- Scroll down to the VirtualHosts section for your domain and uncomment the following line: “Include “/usr/local/apache/conf/userdata/std/2/dummydom/example.com/*.conf””
- Save the file and create the Apache include directory with the command: “mkdir -p /usr/local/apache/conf/userdata/std/2/dummydom/example.com/”
- Echo the following value into a disable_cgisys.conf file inside that directory: “ScriptAlias /cgi-sys/ /home/dummydom/public_html/cgi-bin/”
- Rebuild the Apache configuration using the command: “/scripts/rebuildhttpdconf”
- Restart Apache with the command: “service httpd restart”
- Create a symbolic link to handle HTTPS requests as well, using the command: “ln -s /usr/local/apache/conf/userdata/std/2/dummydom/example.com/disable_cgisys.conf /usr/local/apache/conf/userdata/ssl/2/dummydom/example.com/disable_cgisys.conf”
After completing these steps, the cPanel guestbook.cgi script should no longer be accessible on the server, and you should be able to pass a PCI scan that previously failed your website for having it enabled.
