Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

guestbook.cgi

Discussion in 'General Discussion' started by JraNil, Oct 22, 2004.

  1. JraNil

    JraNil Member

    Joined:
    Oct 12, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    151
    Whenever i check my server by Nessus, I receive this Vulnerability :

    -----
    The 'guestbook.cgi' is installed. This CGI has
    a well known security flaw that lets anyone execute arbitrary
    commands with the privileges of the http daemon (root or nobody).

    Solution : remove it from /cgi-bin.
    -----

    How can I remove it completely? just remove it under /home or there is another way?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 JraNil, Oct 22, 2004
  2. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    guestbook.cgi is part of cgi scripts which come along with cpanel. If you want to disable them just change permisions of the scripts in /usr/local/cpanel/cgi-sys/.

    For guestbook.cgi it would be

    chmod 000 /usr/local/cpanel/cgi-sys/guestbook.cgi

    However note that the next cpanel update will return the permissions to normal. You can choose to place the chmod inside a file /scripts/postupcp so it changes the permissions back everytime cpanel updates.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 anand, Oct 22, 2004
  3. JraNil

    JraNil Member

    Joined:
    Oct 12, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    151
    should I creat postupcp ?
    there is no postupcp in /scripts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 JraNil, Oct 23, 2004
  4. deborahgsmith

    deborahgsmith Member

    Joined:
    May 18, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    SE Michigan
    Which version of guestbook.cgi are you using currently?

    I thought they fixed the vulnerability in version 6 of cpanel.

    Deborah
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 deborahgsmith, Oct 23, 2004
  5. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Yes you need to create it. Though thats required only if you want to disable guestbook.cgi, i don't think the one shipping with cpanel has any vulnerability anymore (not sure still).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 anand, Oct 23, 2004
  6. katz_global

    katz_global Well-Known Member
    PartnerNOC

    Joined:
    Oct 18, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Hosting from: Panama, Hong Kong, Singapore, Malays
    can someone explain to me how nessus is even able to connect to that folder to know that script resides there?

    /usr/local/cpanel/cgi-sys/guestbook.cgi

    ?

    Seems to me that is more of a security issue that the script itself.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 katz_global, Jul 21, 2005
(You must log in or sign up to post here.)

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice