The CGI-Bin directory or the directory that maintains CGI scripts is not the only directory to have the ExecCGI directive applied. .

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13731	WA000-WWA050	SV-14341r1_rule		Medium

Description
Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The Options directive controls which server features are available in a particular directory. The ExecCGI option controls the execution of CGI scripts using mod_cgi. This needs to be restricted to only the directory intended for script execution.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-10983r1_chk )
Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: Then review the Options statement for the following value: ExecCGI If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the ExecCGI value. If this enabled on any of these, this would be a finding. NOTE: If the value is found on an options statement within the Directory directive, and this is a directory used for interactive scripts (CGI), this is not a finding.

Check Text ( C-10983r1_chk )

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive:

Then review the Options statement for the following value: ExecCGI

If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option.

Please be sure to check for all occurrences of the Directory directive for the presence of the ExecCGI value. If this enabled on any of these, this would be a finding.

NOTE: If the value is found on an options statement within the Directory directive, and this is a directory used for interactive scripts (CGI), this is not a finding.

Fix Text (F-13179r1_fix)
Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias or other Script* directives. Remove the printenv default CGI in cgi-bin directory if it is installed. rm $APACHE_PREFIX/cgi-bin/printenv Remove the test-cgi file from the cgi-bin directory if it is installed. rm $APACHE_PREFIX/cgi-bin/test-cgi Review and remove any other cgi-bin files which are not needed for business purposes.

Fix Text (F-13179r1_fix)

Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias or other Script* directives.

Remove the printenv default CGI in cgi-bin directory if it is installed.
rm $APACHE_PREFIX/cgi-bin/printenv

Remove the test-cgi file from the cgi-bin directory if it is installed.
rm $APACHE_PREFIX/cgi-bin/test-cgi

Review and remove any other cgi-bin files which are not needed for business purposes.