Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-26327 | WA00560 W22 | SV-33185r1_rule | Medium |
Description |
---|
The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the potential exists to expose the script source code. |
STIG | Date |
---|---|
APACHE SERVER 2.2 for Windows | 2017-07-05 |
Check Text ( C-33817r1_chk ) |
---|
Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding. Example: Not a finding: ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/ A finding: ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/ |
Fix Text (F-29469r1_fix) |
---|
Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match. |