5.5 Ensure the Default CGI Content printenv Script Is Removed

Information

Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for apache installations is the script 'printenv'. This script will print back to the requester all of the CGI environment variables, which include many server configuration details and system paths.

Rationale:

CGI programs have a long history of security bugs and problems associated with improperly accepting user input. Since these programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs were not written for production use, and consequently little thought was given to security in their development. The 'printenv' script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information.

Solution

Perform the following to implement the recommended state:
1. Locate cgi-bin files and directories enabled in the Apache configuration via the 'Script', 'ScriptAlias', 'ScriptAliasMatch', or 'ScriptInterpreterSource' directives.
2. Remove the 'printenv' default CGI in the cgi-bin directory if it is installed.

# rm $APACHE_PREFIX/cgi-bin/printenv

See Also

https://workbench.cisecurity.org/files/2378