STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019: STIGQter: STIG Summary: APACHE 2.2 Site for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:SV-33144r1_rule
V-2272
WG460
WG460 W22
CAT II
10
Adjust the PERL scripts or the registry to include the appropriate comments.
Locate the Apache httpd.conf file.
If unable to locate the file, perform a search of the system to find the location of the file.
Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptInterpreterSource
For any enabled ScriptInterpreterSource directives the only authorized entries are Registry-Strict or Script. If any other entry (i.e. Registry) is found, this is a finding.
For all enabled ScriptInterpreterSource directives set to Registry-Strict: open regedit then Navigate to the following location: HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe –T (This entry should specify the location of the Perl.exe file). If this entry is not found, this is a finding.
For all enabled ScriptInterpreterSource directive set to Script: Search the system for all files ending with “.pl”. Open all files found with a text editor and ensure the following entry is found - #![Drive Letter]:/[Path to Perl install directory]/bin/perl.exe –T. If this entry is not found, this is a finding.
NOTE: This applies to PERL scripts that are used as part of the web server and not all PERL scripts that are on the system.
NOTE: If the mod_perl module is installed, and the directive “PerlTaintCheck on” is entered in the httpd.conf, this satisfies the requirement.
V-2272
False
WG460 W22
WG460 - General
Locate the Apache httpd.conf file.
If unable to locate the file, perform a search of the system to find the location of the file.
Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptInterpreterSource
For any enabled ScriptInterpreterSource directives the only authorized entries are Registry-Strict or Script. If any other entry (i.e. Registry) is found, this is a finding.
For all enabled ScriptInterpreterSource directives set to Registry-Strict: open regedit then Navigate to the following location: HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe –T (This entry should specify the location of the Perl.exe file). If this entry is not found, this is a finding.
For all enabled ScriptInterpreterSource directive set to Script: Search the system for all files ending with “.pl”. Open all files found with a text editor and ensure the following entry is found - #![Drive Letter]:/[Path to Perl install directory]/bin/perl.exe –T. If this entry is not found, this is a finding.
NOTE: This applies to PERL scripts that are used as part of the web server and not all PERL scripts that are on the system.
NOTE: If the mod_perl module is installed, and the directive “PerlTaintCheck on” is entered in the httpd.conf, this satisfies the requirement.
M
If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.
Web Administrator
161