STIGQter: STIG Summary: Apache Server 2.4 Windows Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.

DISA Rule

SV-214339r505936_rule

Vulnerability Number

V-214339

Group Title

SRG-APP-000266-WSR-000159

Rule Version

AS24-W1-000620

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

Edit the <'INSTALL PATH'>\conf\httpd.conf file and use the "ErrorDocument" directive to enable custom error pages.

ErrorDocument 500 "Sorry, our script crashed. Oh dear"
ErrorDocument 500 /cgi-bin/crash-recover
ErrorDocument 500 http://error.example.com/server_error.html
ErrorDocument 404 /errors/not_found.html
ErrorDocument 401 /subscription/how_to_subscribe.html

The syntax of the ErrorDocument directive is:

ErrorDocument <3-digit-code> <action>

Restart the Apache service.

Additional Information:

https://httpd.apache.org/docs/2.4/custom-error.html

Check Contents

Review the <'INSTALL PATH'>\conf\httpd.conf file.

If the "ErrorDocument" directive is not being used, this is a finding.

Vulnerability Number

V-214339

Documentable

False

Rule Version

AS24-W1-000620

Severity Override Guidance

Review the <'INSTALL PATH'>\conf\httpd.conf file.

If the "ErrorDocument" directive is not being used, this is a finding.

Check Content Reference

M

Target Key

3998

Comments