The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

guestbook.cgi

Discussion in 'General Discussion' started by JraNil, Oct 22, 2004.

  1. JraNil

    JraNil Member

    Joined:
    Oct 12, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Whenever i check my server by Nessus, I receive this Vulnerability :

    -----
    The 'guestbook.cgi' is installed. This CGI has
    a well known security flaw that lets anyone execute arbitrary
    commands with the privileges of the http daemon (root or nobody).

    Solution : remove it from /cgi-bin.
    -----

    How can I remove it completely? just remove it under /home or there is another way?
     
  2. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    guestbook.cgi is part of cgi scripts which come along with cpanel. If you want to disable them just change permisions of the scripts in /usr/local/cpanel/cgi-sys/.

    For guestbook.cgi it would be

    chmod 000 /usr/local/cpanel/cgi-sys/guestbook.cgi

    However note that the next cpanel update will return the permissions to normal. You can choose to place the chmod inside a file /scripts/postupcp so it changes the permissions back everytime cpanel updates.
     
  3. JraNil

    JraNil Member

    Joined:
    Oct 12, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    should I creat postupcp ?
    there is no postupcp in /scripts.
     
  4. deborahgsmith

    deborahgsmith Member

    Joined:
    May 18, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    SE Michigan
    Which version of guestbook.cgi are you using currently?

    I thought they fixed the vulnerability in version 6 of cpanel.

    Deborah
     
  5. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Yes you need to create it. Though thats required only if you want to disable guestbook.cgi, i don't think the one shipping with cpanel has any vulnerability anymore (not sure still).
     
  6. katz_global

    katz_global Well-Known Member
    PartnerNOC

    Joined:
    Oct 18, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hosting from: Panama, Hong Kong, Singapore, Malays
    can someone explain to me how nessus is even able to connect to that folder to know that script resides there?

    /usr/local/cpanel/cgi-sys/guestbook.cgi

    ?

    Seems to me that is more of a security issue that the script itself.
     
Loading...

Share This Page