UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Remote authors or content providers are not able to upload files to the DocumentRoot directory without being scanned to ensure no viruses or malicious code exists.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13687 WG237 SV-14281r1_rule ECSC-1 High
Description
Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate DocumentRoot directory.
STIG Date
APACHE SITE 2.2 for Unix 2011-12-12

Details

Check Text ( C-10906r1_chk )
Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code.

Query the SA to determine if there is anti-virus software active on the server with auto-protect enabled or to determine if there is another process in place for the scanning of files / content being posted by remote authors.

If there is no virus software on the system with auto-protect enabled or if there is not a process in place to ensure all files being posted are being virus scanned before being saved to the document root, this is a finding.
Fix Text (F-13113r1_fix)
Ensure that Anti-Virus software is installed on the system and is set to automatically scan new files that are introduced to the web server.