Disable cgi scripts even using fcgi as php handler.

Augusto Will · Jan 23, 2015

Is possible to disable cgi scripts if I'm using fastcgi as php handler?
How I do that?

Thank you.

cPanelMichael · Jan 26, 2015

Hello

You can disable the "CGI Access" option for the packages assigned to your accounts via:

"WHM Home » Packages » Edit a Package"

Are you attempting to disable CGI for security purposes? If so, I would like to paste to you the response from another analyst regarding a similar request:

What needs to be understood is the distinction between a script that provides an entry point for an attacker, and a script that is executed by an attacker. Let me give you an example. Old versions of Joomla, a popular PHP-based application, are known for allowing an attacker to execute code remotely. What happens is this:

The attacker finds a Joomla-based site running an old, insecure version of Joomla.
The attacker sends a call to the Joomla site to trigger the vulnerability that allows remote code execution.
The attacker uploads his desired script through the vulnerable Joomla application and executes it on your server.

It is important to understand that it does not matter what language the attacker's script is written in. Once the attacker finds a vulnerable script on one of your sites, a script that will allow remote code execution, the attacker will upload and execute code. If you disable Perl, the attacker will upload and execute a PHP script. If you disable PHP, the attacker may upload and execute a Python script. If you disable Python, the attacker may upload and execute a script for the C shell or Korn shell, or any other shell that may be available on Unix or Linux.

This is why trying to disable a language interpreter, such as Perl, from being used by your users is a futile effort. No matter what you do, the issue that would lead to Perl being used by an attacker's script is that a script on your server is vulnerable to being used to execute code remotely. By the time the attacker invokes the Perl interpreter to run his/her script, it is already too late, because he/she has already exploited the vulnerable script on your site.

The only way to prevent this type of behavior is to audit the scripts on your sites and identify those that may allow remote code execution. This is not easy or fast, and it requires the assistance of a security expert who can identify this type of issue for you. It is, however, the only way to truly secure your server against abuse caused by remote code execution. Trying to prevent this abuse by disabling the Perl interpreter, or the PHP interpreter, or the Python interpreter, or any other interpreter is not a good approach.
Click to expand...

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disable cgi scripts even using fcgi as php handler.

Augusto Will Active Member

cPanelMichael Technical Support Community Manager
Staff Member

Disable Edit DNS Zone in WHM?

Disable http access to webmail on Shared host?

Pending Publication [CPANEL-22169] Pure-FTPd: Preserve disabled ForcePassiveIP when NAT is active

disabled autoSSL and set new certificates to access website

SOLVED Disable/remove Git Version Control

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disable cgi scripts even using fcgi as php handler.

Augusto Will Active Member

cPanelMichael Technical Support Community Manager Staff Member

Disable Edit DNS Zone in WHM?

Disable http access to webmail on Shared host?

Pending Publication [CPANEL-22169] Pure-FTPd: Preserve disabled ForcePassiveIP when NAT is active

disabled autoSSL and set new certificates to access website

SOLVED Disable/remove Git Version Control

Share This Page

cPanelMichael Technical Support Community Manager
Staff Member