STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

The URL-path name must be set to the file path name or the directory path name.

DISA Rule

SV-33185r1_rule

Vulnerability Number

V-26327

Group Title

WA00560

Rule Version

WA00560 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match.

Check Contents

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias

If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding.

Example:

Not a finding:

ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

A finding:

ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

Vulnerability Number

V-26327

Documentable

False

Rule Version

WA00560 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias

If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding.

Example:

Not a finding:

ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

A finding:

ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments