cPanel's defaultwebpage.cgi not vulnerable
Our internal testing showed that /cgi-sys/defaultwebpage.cgi was not vulnerable by this exploit. It is not written in bash and does not make any calls to bash.
If you have evidence to the contrary, or are aware of any other CGI scripts distributed by cPanel that are vulnerable we would greatly appreciate it if you'd open a ticket with us with this information:
http://tickets.cpanel.net
Thanks!
Phil Stark
Technical Support Supervisor
cPanel, Inc.