How to disable Guestbook.cgi in Cpanel

guestbook.cgi, is vulnerable to a remote command execution bug, any remote user can manipulate the input to the email field to the this cgi, and force the web server to execute specific command. This bug is caused by incomplete sanitation of the email variable from the http POST.

This article explains the steps to disable guestbook.cgi.

For testing your website for guestbook, just load the url and check the result,

http://domain.com/cgi-sys/guestbook.cgi

Result: No Username given

This result means that guestbook enabled in the server


You can follow the steps below in order to disable this script.

Log into WHM.

In the Find box type in feature, then click on Feature Manager.

Under the Edit a Feature List drop-down, leave default selected, then click on Edit.

Scroll down the page and un-check Simple Guestbook, then click on Save at the bottom of the page.

You should now see that the default feature list was saved.

Now when viewing the CGI Center in cPanel, you'll notice the Simple GuestBook link is not longer available.

Now to disable the script from being accessible login to your server via SSH.

Make a copy of your current Apache configuration with the following command:

cp -frp /usr/local/apache/conf/httpd.conf{,.backup}

Now edit your Apache configuration with your favorite text editor, in this example we are using vim.

vim /usr/local/apache/conf/httpd.conf

Navigate down to your VirtualHosts section for your domain which should look like the following:

<VirtualHost x.x.x.x:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /home/dummydom/public_html
ServerAdmin webmaster@yourdomain.com
## User dummydom # Needed for Cpanel::ApacheConf
<IfModule mod_suphp.c>
suPHP_UserGroup dummydom dummydom
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup dummydom dummydom
</IfModule>
</IfModule>
<IfModule mod_ruid2.c>
RUidGid dummydom dummydom
</IfModule>
CustomLog /usr/local/apache/domlogs/yourdomain.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
CustomLog /usr/local/apache/domlogs/yourdomain.com combined
ScriptAlias /cgi-bin/ /home/dummydom/public_html/cgi-bin/
# To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/std/2/yourdom/yourdomain.com/*.conf"
</VirtualHost>
You'll want to uncomment the following line:
# Include "/usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/*.conf"
By placing your cursor over the pound symbol # and hitting Delete on your keyboard:
Include "/usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/*.conf"

Now you can save the file by hitting : to enter command mode, and then entering in wq for write and quit.

Next create the Apache include directory with the following command of course using the paths for your account instead of this example one:

mkdir -p /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/

Now you'll want to echo the following value into a disable_cgisys.conf file inside that directory you just created:

echo "ScriptAlias /cgi-sys/ /home/dummydom/public_html/cgi-bin/" > /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/disable_cgisys.conf

Next rebuild the Apache configuration so that the new include path is built-in with the following command:

/scripts/rebuildhttpdconf

You should get back the response:

Built /usr/local/apache/conf/httpd.conf OK

Now you want to restart Apache using the following command:

service httpd restart

Finally you'll want to create a symbolic link to handle HTTPS requests as well in case you have an SSL certificate setup on your domain using the following command:

ln -s /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/disable_cgisys.conf /usr/local/apache/conf/userdata/ssl/2/dummydom/yourdomain.com/disable_cgisys.conf

The difference above is the /std/ and /ssl/ part of the path.

Now if you try to view a guestbook page you'll see it is no longer found:

Result: Not Found
The requested URL /cgi-sys/guestbook.cgi was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Leave a Reply

Your email address will not be published. Required fields are marked *