STIGQter: STIG Summary: Apache Server 2.4 Windows Site Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.

DISA Rule

SV-102643r1_rule

Vulnerability Number

V-92555

Group Title

SRG-APP-000266-WSR-000159

Rule Version

AS24-W2-000620

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

Edit the <'INSTALLED PATH'>\conf\httpd.conf file and use the "ErrorDocument" directive to enable custom error pages.

ErrorDocument 500 "Sorry, our script crashed. Oh dear"
ErrorDocument 500 /cgi-bin/crash-recover
ErrorDocument 500 http://error.example.com/server_error.html
ErrorDocument 404 /errors/not_found.html
ErrorDocument 401 /subscription/how_to_subscribe.html

The syntax of the ErrorDocument directive is:

ErrorDocument <3-digit-code> <action>

Additional Information:

https://httpd.apache.org/docs/2.4/custom-error.html

Check Contents

Review the <'INSTALLED PATH'>\conf\httpd.conf file.

If the "ErrorDocument" directive is not being used, this is a finding.

Vulnerability Number

V-92555

Documentable

False

Rule Version

AS24-W2-000620

Severity Override Guidance

Review the <'INSTALLED PATH'>\conf\httpd.conf file.

If the "ErrorDocument" directive is not being used, this is a finding.

Check Content Reference

M

Target Key

3419

Comments