Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3333 | WG205 | SV-3333r6_rule | DCPA-1 | Medium |
Description |
---|
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. |
STIG | Date |
---|---|
Web Server STIG | 2010-10-07 |
Check Text ( C-29342r1_chk ) |
---|
Query the SA to ascertain the location of the system files for the web software. Also, verify the properties of the web site to determine if the web site document directory is located in the same directory as the web system software. Confirm that the additional services or applications are not installed on the same partition as the operating systems root directory or the web document root. If additional services or applications are installed on the same partition as the operating system root directory or the web document root directory, this is a finding. If the web site document directory is located in the same directory as the web system software, this is a finding. |
Fix Text (F-26841r1_fix) |
---|
Ensure the web document (home) directory is in a separate partition from the web server’s system files. |