Title

The URL-path name must be set to the file path name or the directory path name. (Cat II impact)

Discussion

The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the potential exists to expose the script source code.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding. Example: Not a finding: ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/ A finding: ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

Fix Text

Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match.

Additional Identifiers

Rule ID: SV-33185r1_rule

Vulnerability ID: V-26327

Group Title: WA00560

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.