Interactive scripts used on a web server will have proper access controls.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2229	WG410	SV-2229r5_rule	ECLP-1	Medium

Description
CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. Clarification: This vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.

Description

CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. Clarification: This vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-29510r1_chk )
Query the SA to determine if CGI scripts are used on the server. If CGI programs are being used, check the permissions of these files to ensure they are not owned by the non-privileged account running the web server and have proper access controls. If the CGI programs are owned by the web server account, this is a finding. The directory used to store .asp or .jsp files in Windows is generally the Scripts directory. This directory should be virtualized. Permissions granted to web users accessing the scripts directory and its content files should be the most restrictive possible. Since read authority allows a user to download and potentially view a file, access permission to the script files should be limited to script execution. However, if read authority is necessary, powerful scripts such as those used to administratively maintain a web site, or those scripts containing sensitive information, should be segregated into a directory that is inaccessible to the general user population. Under no condition should web users be granted write authority to either a script directory or a script file. Additionally, the non-privileged account used to run the web site should have its permission limited to execute or read-execute.

Check Text ( C-29510r1_chk )

Query the SA to determine if CGI scripts are used on the server. If CGI programs are being used, check the permissions of these files to ensure they are not owned by the non-privileged account running the web server and have proper access controls. If the CGI programs are owned by the web server account, this is a finding.

The directory used to store .asp or .jsp files in Windows is generally the Scripts directory. This directory should be virtualized.

Permissions granted to web users accessing the scripts directory and its content files should be the most restrictive possible. Since read authority allows a user to download and potentially view a file, access permission to the script files should be limited to script execution. However, if read authority is necessary, powerful scripts such as those used to administratively maintain a web site, or those scripts containing sensitive information, should be segregated into a directory that is inaccessible to the general user population. Under no condition should web users be granted write authority to either a script directory or a script file. Additionally, the non-privileged account used to run the web site should have its permission limited to execute or read-execute.

Fix Text (F-27173r1_fix)
Ensure the CGI scripts are owned by a privileged account and not the non-privileged account running the web site. Ensure the anonymous web user account and the web service account running the web site only has Read-Only or Read-Execute permissions to such scripts.