UCF STIG Viewer Logo

Symbolic links must not be used in the web content directory tree.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2227 WG360 A22 SV-30576r1_rule DCPA-1 ECSC-1 High
Description
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.
STIG Date
APACHE SITE 2.2 for Unix 2015-08-27

Details

Check Text ( C-31108r1_chk )
Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs).

Use ls –al.

An entry, such as the following, would indicate the presence and use of symbolic links:

lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs

Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file:


Options FollowSymLinks
AllowOverride None


The above configuration is incorrect and is a finding. The correct configuration is:


Options SymLinksIfOwnerMatch
AllowOverride None


Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content.
Fix Text (F-26783r1_fix)
Disable symbolic links.