The web server must be configured to explicitly deny access to the OS root.

From APACHE 2.2 SERVER for Windows Security Technical Implementation Guide

Part of WA00540

SV-33180r1_rule The web server must be configured to explicitly deny access to the OS root.

Vulnerability discussion

The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to Operating System directories and files, except for those specifically allowed. This is done, with denying access to the OS root directory. One aspect of Apache, which is occasionally misunderstood, is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can and will serve it to clients. Having a default deny is a predominate security principal, and then helps prevent the unintended access, and we do that in this case by denying access to the OS root directory. The Order directive is important as it provides for other Allow directives to override the default deny.

Check content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Directory For every root directory entry (i.e. ) ensure the following exists after it: Order deny,allow Deny from all If the statement above is not found in the root directory statement, this is a finding. If Allow directives are included in the root directory statement, this is a finding. If the root directory statement isn't found at all, this is a finding.

Fix text

Add the following after the root directory directive: Order deny,allow Deny from all

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer