WA000-WWA058 W22 - Directory indexing must be disabled on directories not containing index files.

Information

Directory options directives are directives that can be applied to further restrict access to file and directories.
If a URL which maps to a directory is requested, and there is no DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory.
The Indexes option allows for the functionality of presenting a formatted listing of the directory.
Returning a formatted listing of the directory represents a vulnerability since it will allow an attacker to have knowledge of the directory contents and potentially gather sensitive information.
To explicitly disable an Options functionality, the option must be listed on every uncommented Options directive with a preceding the option. The '-' preceding the option configures Apache to explicitly disable the option. An Options directive with 'none' will also disable the functionality.
If the option is listed on an Options directive line without a preceding - or without anything preceding it or with a '+' preceding it or not configured at all, the Indexes option is enabled and is vulnerable.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Add a '-' to the Indexes setting, or set the options directive to None.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_WIN_V1R13_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|II, Rule-ID|SV-33006r2_rule, STIG-ID|WA000-WWA058_W22, Vuln-ID|V-13735

Plugin: Windows

Control ID: c09cb8675f6963bd295cc00277d34af0ee6b0c9b019662979b91d4cce309bc32