Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-214290 | AS24-U2-000580 | SV-214290r612241_rule | Medium |
Description |
---|
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. |
STIG | Date |
---|---|
Apache Server 2.4 UNIX Site Security Technical Implementation Guide | 2021-12-17 |
Check Text ( C-15503r277211_chk ) |
---|
Run the following command: grep "DocumentRoot"<'INSTALL PATH'>/conf/httpd.conf Note each location following the "DocumentRoot" string. This is the configured path to the document root directory(s). Use the command df -k to view each document root's partition setup. Compare that against the results for the operating system file systems and against the partition for the web server system files, which is the result of the command: df -k <'INSTALL PATH'>/bin If the document root path is on the same partition as the web server system files or the operating system file systems, this is a finding. |
Fix Text (F-15501r277212_fix) |
---|
Move the web document (normally "htdocs") directory to a separate partition other than the operating system root partition and the web server’s system files. |