Check: WG237 W22
APACHE 2.2 Server for Windows STIG:
WG237 W22
(in versions v1 r13 through v1 r11)
Title
Remote authors or content providers must have all files scanned for malware before uploading files to the Document Root directory. (Cat II impact)
Discussion
Remote web authors should not be able to upload files to the DocumentRoot directory structure without virus checking and checking for malicious or mobile code. A remote web user whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate Document Root directory.
Check Content
Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. Query the SA to determine if there is anti-virus software active on the server with auto-protect enabled, or if there is another process in place for the scanning of files being posted by remote authors. If there is no virus software on the system with auto-protect enabled, or if there is not a process in place to ensure all files being posted are being virus scanned before being saved to the document root, this is a finding.
Fix Text
Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server.
Additional Identifiers
Rule ID: SV-40826r1_rule
Vulnerability ID: V-13687
Group Title: WG237
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |