Check: WG410 IIS6
IIS6 Site:
WG410 IIS6
(in version v6 r16)
Title
Interactive scripts must have proper access controls. (Cat II impact)
Discussion
CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.
Check Content
1. Query the SA to determine if CGI scripts are used on the server. 2. If CGI scripts are being used, ensure they are owned by system, the service account running the web service, the web author, and/or the SA. 3. If CGI scripts are owned by any accounts other than system, the service account running the web service, the web author, and/or the SA, this is a finding. 4. Ensure the anonymous web user account has Read or Read/Execute permissions to the CGI scripts. 5. If the anonymous web user account has CGI script permissions beyond Read or Read/Execute, this is a finding. 6. Using Microsoft Internet Information Services Manager > Right click on the web site to be examined 7. Select the Properties option > Select the Home Directory tab. 8. In the Application settings section verify the Execute permissions states Scripts only. 9. If the Application settings sections Execute permissions states anything but Scripts only, this is a finding. 10. Select the Configuration button > Select the Options tab. 11. Verify the Enable parent paths check box is NOT checked. 12. If the Enable parent paths check box is checked, this is a finding. NOTE: Verify these settings on virtual directories as well. The name of the tab for the virtual directories is "Virtual Directory". The configuration button may not be enabled if it is using the setting from the parent web site. If it is enabled, then validate the settings identified in the manual procedures.
Fix Text
1. Set the ownership of the CGI scripts to system, the service account running the web service, the web author, and/or the SA. 2. Set the CGI script permissions for the anonymous web user account to Read or Read/Execute. 3. Set the Application settings sections Execute permissions to Scripts only. 4. Uncheck the Enable parent paths check box.
Additional Identifiers
Rule ID: SV-28848r1_rule
Vulnerability ID: V-2229
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |