UCF STIG Viewer Logo

All interactive programs will be placed in a designated directory with appropriate permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2228 WG400 SV-2228r4_rule DCPA-1 Medium
Description
CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable programs used by the operating system of the host server. All CGI program files need to be segregated into their own directory to simplify the protection of these files. ASP scripts should be placed into a unique directory that only contains other ASP scripts. JAVA and other technology-specific scripts should also be placed into their own unique directories. The placement of CGI or equivalent scripts to special directories gives the Web Manager or the SA control over what goes into those directories and to facilitate access control at the directory level. Allowing users to execute CGI scripts in any directory should only be considered if the users can be trusted not to write scripts that will deliberately or accidentally expose the server to an attack. These files, if left in directories from which the anonymous web user could read the source code, would make it easier for someone to understand and attack the web server. Clarification: This vulnerability, which is related to VMS vulnerability V-2229, requires that CGI scripts are placed in a unique directory that is not located under the root directory and that appropriate access permissions are applied at the directory level. If it is feasible to segregate CGI scripts that require read/execute permissions from those scripts that only require execute permission, then the web master is encouraged to segregate these scripts into separate directories. Powerful CGI scripts that may be used by authenticated and privileged administrative personnel should always be segregated and placed into separate directories.
STIG Date
Web Server STIG 2010-10-07

Details

Check Text ( C-29846r1_chk )
Review the web site document directory and determine if the CGI programs have been stored in their own directory. The directory containing the CGI scripts will be owned by a privileged account that is not used to run the web site.

Permissions granted to web users accessing the scripts directory and its content files should be the most restrictive possible. Since read authority allows a user to download and potentially view a file, access permission to the script files should be limited to script execution. However, if read authority is necessary, powerful scripts such as those used to administratively maintain a web site or those scripts containing sensitive information, should be segregated into a directory that is inaccessible to the general user population. Under no condition should web users be granted write authority to either a script directory or to a script file.

The reviewer should check for the following:
1. All CGI programs will be located in a separate directory that is not under the web root directory.
2. The CGI directory contents will not be available to external FTP clients.
3. CGI scripts will not be located in the web server or web application server document directories, unless required by server software installation.
4. The CGI directory will be owned by a privileged account that is not used to run the web site. The directory permissions should be set as follows:

System Administrator: full
Web service account: read/execute
Group (web users): execute
Other: none

If any of these requirements are not met, this is a finding.
Fix Text (F-26734r1_fix)
Ensure the CGI, or an equivalent program, directory has appropriate access controls.