Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3333 | WG205 | SV-3333r1_rule | Medium |
Description |
---|
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. |
STIG | Date |
---|---|
IIS 7.0 Server STIG | 2019-03-22 |
Check Text ( C-29342r1_chk ) |
---|
To view the DocumentRoot value enter the following command: grep "DocumentRoot" /usr/local/apache2/conf/httpd.conf Note the location following the DocumentRoot string, this is the path to the document root directory. If the path is on the same partition as the web server system files or the OS root, this is a finding. |
Fix Text (F-26841r1_fix) |
---|
Move the web document (normally "htdocs") directory to a separate partition, other than the OS root partition and the web server’s system files. |