5.6 Ensure the Default CGI Content test-cgi Script Is Removed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Most Web Servers, including Apache installations have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi. This script will print back to the requester CGI environment variables which includes many server configuration details.

Rationale:

CGI programs have a long history of security bugs and problems associated with improperly accepting user-input. Since these programs are often targets of attackers, we need to make sure that there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs are not written for production use and consequently little thought was given to security in their development. The test-cgi script in particular will disclose inappropriate information about the web server including directory paths and detailed version and configuration information.

Solution

Perform the following to implement the recommended state:

Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives.

Remove the test-cgi default CGI in cgi-bin directory if it is installed.

# rm $APACHE_PREFIX/cgi-bin/test-cgi

Default Value:

The default source installation includes the test-cgi script. However, this script is not executable by default.

See Also

https://workbench.cisecurity.org/files/3021