UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

All interactive programs must be placed in a designated directory with appropriate permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13731 WA000-WWA050 W22 SV-32998r1_rule Medium
Description
CGI scripts are one of the most exploited vulnerabilities on web servers. CGI script execution in Apache can be accomplished via two methods. The first method uses the ScriptAlias directive to tell the server everything in that directory is a CGI script. The second method uses a combination of the Options directive and AddHandler or SetHandler directives. For situations where the combination of the Options directive and Handler directives are used, the ability to centrally manage scripts is lost, creating vulnerability on the web server. It is best to manage scripts using the ScriptAlias directive.
STIG Date
APACHE 2.2 SERVER for Windows Security Technical Implementation Guide 2017-10-02

Details

Check Text ( C-33663r1_chk )
Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: SetHandler, AddHandler, and Options.

For all occurrences of the SetHandler and AddHandler directives query the Web Administrator to determine if the directives are allowing CGI scripts to be used.

If CGI Scripts are used via the SetHandler or AddHandler directives, this is a finding.

For all occurrences of the Options directive that are using +ExecCGI or ExecCGI, this is a finding.

If the Options directive is found with -ExecCGI, this is not a finding.

If the value does not exist, this would be a finding unless the Options statement is set to “None”.
Fix Text (F-29302r1_fix)
Locate the scripts in a ScriptAlias directory, and/or add the appropriate symbol to explicitly disable ExecCGI, or set the options directive to None.