STIGQter STIGQter: STIG Summary: APACHE SITE 2.0 for Windows Version: 1 Release: 5 Benchmark Date: 23 Oct 2015: PERL scripts must use the TAINT option.

DISA Rule

SV-33144r1_rule

Vulnerability Number

V-2272

Group Title

WG460

Rule Version

WG460 W22

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Adjust the PERL scripts or the registry to include the appropriate comments.

Check Contents

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptInterpreterSource

For any enabled ScriptInterpreterSource directives the only authorized entries are Registry-Strict or Script. If any other entry (i.e. Registry) is found, this is a finding.

For all enabled ScriptInterpreterSource directives set to Registry-Strict: open regedit then Navigate to the following location: HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe –T (This entry should specify the location of the Perl.exe file). If this entry is not found, this is a finding.

For all enabled ScriptInterpreterSource directive set to Script: Search the system for all files ending with “.pl”. Open all files found with a text editor and ensure the following entry is found - #![Drive Letter]:/[Path to Perl install directory]/bin/perl.exe –T. If this entry is not found, this is a finding.

NOTE: This applies to PERL scripts that are used as part of the web server and not all PERL scripts that are on the system.
NOTE: If the mod_perl module is installed, and the directive “PerlTaintCheck on” is entered in the httpd.conf, this satisfies the requirement.

Vulnerability Number

V-2272

Documentable

False

Rule Version

WG460 W22

Mitigations

WG460 - General

Severity Override Guidance

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptInterpreterSource

For any enabled ScriptInterpreterSource directives the only authorized entries are Registry-Strict or Script. If any other entry (i.e. Registry) is found, this is a finding.

For all enabled ScriptInterpreterSource directives set to Registry-Strict: open regedit then Navigate to the following location: HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe –T (This entry should specify the location of the Perl.exe file). If this entry is not found, this is a finding.

For all enabled ScriptInterpreterSource directive set to Script: Search the system for all files ending with “.pl”. Open all files found with a text editor and ensure the following entry is found - #![Drive Letter]:/[Path to Perl install directory]/bin/perl.exe –T. If this entry is not found, this is a finding.

NOTE: This applies to PERL scripts that are used as part of the web server and not all PERL scripts that are on the system.
NOTE: If the mod_perl module is installed, and the directive “PerlTaintCheck on” is entered in the httpd.conf, this satisfies the requirement.

Check Content Reference

M

Mitigation Control

If the TAINT option cannot be used for any
reason, this finding can be mitigated by the use of a third-party
input validation mechanism or input validation will be included as
part of the script in use. This must be
documented.

Responsibility

Web Administrator

Target Key

2100

Comments