InformationMost web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script 'test-cgi'. This script will print back to the requester CGI environment variables, which includes many server configuration details.
CGI programs have a long history of security bugs and problems associated with improperly accepting user input. Since these programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs were not written for production use, and consequently little thought was given to security in their development. The 'test-cgi' script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information.
SolutionPerform the following to implement the recommended state:
1. Locate cgi-bin files and directories enabled in the Apache configuration via 'Script', 'ScriptAlias', 'ScriptAliasMatch', or 'ScriptInterpreterSource' directives.
2. Remove the 'test-cgi' default CGI in the cgi-bin directory if it is installed.
# rm $APACHE_PREFIX/cgi-bin/test-cgi