Check: WEBPL032
Web Policy STIG:
WEBPL032
(in version v1 r1)
Title
All interactive CGI programs used on the production web server will be documented. (Cat III impact)
Discussion
Common Gateway Interface (CGI) is a standard protocol that defines how web server software can delegate the generation of web pages to an external application or the web browser. These web server-based applications, known as CGI scripts, are not to be confused with the more specific .cgi file extension. CGI applications can be written in many programming languages. Common applications involve the acquisition of data between a web page and the web browser, executing the CGI scripts, and returning customized web content. There is a possibility of compromising security when using CGI. CGI programs that are carelessly written can grant the malicious user as much access to the server as a privileged account. Documenting these programs will allow the site to maintain an inventory of the interactive programs so that rogue programs are not installed and running on the web server.
Check Content
The intent of this check is to provide awareness to the hosting agency of all CGI and program scripts installed on the web server in support of hosted content. It is not the responsibility of the hosting agency to document the CGI and program scripts. It is the responsibility of the agency owning the web application or web site to provide this information to the hosting agency. Documentation will include the language used, the purpose of the program, and an IA certification. This documentation will be provided to the IAO. If a COTS product is installed containing CGI, it will be documented by the owner of the hosted information. If a manifest is available for the COTS CGI or it is feasible to generate a manifest listing the CGI associated with the COTS product, it will be provided to the hosting agency. There will be no penalty at this time for failure to provide a list of COTS associated CGI, but it will be a requirement to provide IA assurance for the COTS product. The potential direction of this requirement may be to scan against the installation of unauthorized programs and scripts. The reviewer will ask to see an example of a documented program from the web server. If the site cannot produce documentation that shows that it is maintaining documentation of interactive programs, this is a finding.
Fix Text
Establish a process for ensuring all CGI programs used on the web server are documented. Documentation will include the language used, the program’s purpose, and the program’s IA certification. This documentation will be provided to the IAO.
Additional Identifiers
Rule ID: SV-28770r1_rule
Vulnerability ID: V-23834
Group Title: Web Server scripts are documented.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |