Check: WG410 W22
APACHE SITE 2.0 for Windows:
WG410 W22
(in version v1 r5)
Title
Interactive scripts used on a web server must have proper access controls. (Cat II impact)
Discussion
The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript, and shell programs (e.g., sh, ksh, bash, etc.) are popular choices. CGI is a standard for interfacing external applications with information servers, such as HTTP or web servers. The definition of CGI as web-based applications is not to be confused with the more specific .cgi file extension. ASP, JSP, JAVA, and PERL scripts are commonly found in these circumstances. Clarification: This vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.
Check Content
Query the SA to determine if CGI scripts are used as part of the web site. If interactive scripts are being used, check the permissions of these files to ensure they meet the following permissions: interactive script files Administrators Full Control WebManagers Modify System Read/Execute Webserver Account Read/Execute If the interactive scripts do not meet the above permissions or are less restrictive, this is a finding.
Fix Text
Ensure the CGI scripts are owned by root, the service account running the web service, the web author or the SA, and that the anonymous web user account has Read Only or Read - Execute permissions to such scripts.
Additional Identifiers
Rule ID: SV-28849r1_rule
Vulnerability ID: V-2229
Group Title: WG410
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |