From Apache Server 2.4 UNIX Site Security Technical Implementation Guide
Part of SRG-APP-000233-WSR-000146
Associated with: CCI-001084
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.
Run the following command: grep "DocumentRoot"<'INSTALL PATH'>/conf/httpd.conf Note each location following the "DocumentRoot" string. This is the configured path to the document root directory(s). Use the command df -k to view each document root's partition setup. Compare that against the results for the operating system file systems and against the partition for the web server system files, which is the result of the command: df -k <'INSTALL PATH'>/bin If the document root path is on the same partition as the web server system files or the operating system file systems, this is a finding.
Move the web document (normally "htdocs") directory to a separate partition other than the operating system root partition and the web server’s system files.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer