How to disable Guestbook.cgi in Cpanel

May 11, 2016July 6, 2016 admin

guestbook.cgi, is vulnerable to a remote command execution bug, any remote user can manipulate the input to the email field to the this cgi, and force the web server to execute specific command. This bug is caused by incomplete sanitation of the email variable from the http POST.

This article explains the steps to disable guestbook.cgi.

For testing your website for guestbook, just load the url and check the result,

http://domain.com/cgi-sys/guestbook.cgi

Result: No Username given

This result means that guestbook enabled in the server

You can follow the steps below in order to disable this script.

Log into WHM.

In the Find box type in feature, then click on Feature Manager.

Under the Edit a Feature List drop-down, leave default selected, then click on Edit.

Scroll down the page and un-check Simple Guestbook, then click on Save at the bottom of the page.

You should now see that the default feature list was saved.

Now when viewing the CGI Center in cPanel, you'll notice the Simple GuestBook link is not longer available.

Now to disable the script from being accessible login to your server via SSH.

Make a copy of your current Apache configuration with the following command:

cp -frp /usr/local/apache/conf/httpd.conf{,.backup}

Now edit your Apache configuration with your favorite text editor, in this example we are using vim.

vim /usr/local/apache/conf/httpd.conf

Navigate down to your VirtualHosts section for your domain which should look like the following:

<VirtualHost x.x.x.x:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /home/dummydom/public_html
ServerAdmin webmaster@yourdomain.com
## User dummydom # Needed for Cpanel::ApacheConf
<IfModule mod_suphp.c>
suPHP_UserGroup dummydom dummydom
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup dummydom dummydom
</IfModule>
</IfModule>
<IfModule mod_ruid2.c>
RUidGid dummydom dummydom
</IfModule>
CustomLog /usr/local/apache/domlogs/yourdomain.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
CustomLog /usr/local/apache/domlogs/yourdomain.com combined
ScriptAlias /cgi-bin/ /home/dummydom/public_html/cgi-bin/
# To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/std/2/yourdom/yourdomain.com/*.conf"
</VirtualHost>
You'll want to uncomment the following line:
# Include "/usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/*.conf"
By placing your cursor over the pound symbol # and hitting Delete on your keyboard:
Include "/usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/*.conf"

Now you can save the file by hitting : to enter command mode, and then entering in wq for write and quit.

Next create the Apache include directory with the following command of course using the paths for your account instead of this example one:

mkdir -p /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/

Now you'll want to echo the following value into a disable_cgisys.conf file inside that directory you just created:

echo "ScriptAlias /cgi-sys/ /home/dummydom/public_html/cgi-bin/" > /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/disable_cgisys.conf

Next rebuild the Apache configuration so that the new include path is built-in with the following command:

/scripts/rebuildhttpdconf

You should get back the response:

Built /usr/local/apache/conf/httpd.conf OK

Now you want to restart Apache using the following command:

service httpd restart

Finally you'll want to create a symbolic link to handle HTTPS requests as well in case you have an SSL certificate setup on your domain using the following command:

ln -s /usr/local/apache/conf/userdata/std/2/dummydom/yourdomain.com/disable_cgisys.conf /usr/local/apache/conf/userdata/ssl/2/dummydom/yourdomain.com/disable_cgisys.conf

The difference above is the /std/ and /ssl/ part of the path.

Now if you try to view a guestbook page you'll see it is no longer found:

Result: Not Found
The requested URL /cgi-sys/guestbook.cgi was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

TECHIES WORLD

How to disable Guestbook.cgi in Cpanel

Leave a Reply Cancel reply