UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Interactive scripts used on a web server must have proper access controls.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2229 WG410 W22 SV-28849r1_rule ECLP-1 Medium
Description
The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript, and shell programs (e.g., sh, ksh, bash, etc.) are popular choices. CGI is a standard for interfacing external applications with information servers, such as HTTP or web servers. The definition of CGI as web-based applications is not to be confused with the more specific .cgi file extension. ASP, JSP, JAVA, and PERL scripts are commonly found in these circumstances. Clarification: This vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.
STIG Date
APACHE SITE 2.0 for Windows 2014-12-05

Details

Check Text ( C-35739r1_chk )
Query the SA to determine if CGI scripts are used as part of the web site.

If interactive scripts are being used, check the permissions of these files to ensure they meet the following permissions:

interactive script files

Administrators Full Control
WebManagers Modify
System Read/Execute
Webserver Account Read/Execute

If the interactive scripts do not meet the above permissions or are less restrictive, this is a finding.
Fix Text (F-30980r1_fix)
Ensure the CGI scripts are owned by root, the service account running the web service, the web author or the SA, and that the anonymous web user account has Read Only or Read - Execute permissions to such scripts.