The URL-path name must be set to the file path name or the directory path name.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-26327 | WA00560 W22 | SV-33185r1_rule | - | medium |
| Description | ||||
| The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the potential exists to expose the script source code. | ||||
| STIG | Date | |||
| APACHE 2.2 Server for Windows Security Technical Implementation Guide | 2018-12-24 | |||
Details
Check Text (C-33185r1_chk)
Locate the Apache httpd.conf file.
Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias
If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding.
Example:
Not a finding:
ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/
A finding:
ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/
Fix Text (F-29469r1_fix)
Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match.