The CGI script directory has improper access controls.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2228	WG400	SV-6927r1_rule		Medium

Description
CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager take specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices. Apache: suexec must be enabled to ensure that scripts run in the proper context.

Description

CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager take specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices. Apache: suexec must be enabled to ensure that scripts run in the proper context.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-2781r1_chk )
Windows uses command.com as the default shell and will execute .bat and .exe files. NTFS permissions are: WebUser account (i.e webuser or nobody) – Read and Execute Security is enhanced with virtual directories because it adds another level of abstraction to the site, altering the way in which Internet users access the information. Only directories that contain information to be published or downloaded should have Read permission set. To prevent clients from downloading executable files or scripts that always contain sensitive information and application logic, these files will be located in separate directories without Read/Write permission. If the CGI script directory has improper access controls this is a finding.

Check Text ( C-2781r1_chk )

Windows uses command.com as the default shell and will execute .bat and .exe files. NTFS permissions are: WebUser account (i.e webuser or nobody) – Read and Execute

Security is enhanced with virtual directories because it adds another level of abstraction to the site, altering the way in which Internet users access the information. Only directories that contain information to be published or downloaded should have Read permission set. To prevent clients from downloading executable files or scripts that always contain sensitive information and application logic, these files will be located in separate directories without Read/Write permission.

If the CGI script directory has improper access controls this is a finding.

Fix Text (F-2277r1_fix)
Ensure the CGI (or equivalent i.e. scripts) directory has access controls IAW the WEB Services STIG.