Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Web server status module will be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-26294 | WA00510 W20 | SV-36612r1_rule | ECAN-1 | Medium |
| Description |
|---|
| The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it’s recommended that these modules NOT be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications. |
| STIG | Date |
|---|---|
| APACHE SERVER 2.0 for Windows | 2015-08-27 |
Details
| Check Text ( C-35707r1_chk ) |
|---|
| Open the httpd.conf file. Search for uncommented LoadModule info_module and LoadModule status_module directive statements. If any of these statements are found uncommented, this is a finding. |
| Fix Text (F-30949r1_fix) |
|---|
| Disable info and status modules by adding a "#" in front of them within the httpd.conf file, and restarting the Apache httpd service. |