5.5 Ensure the Default CGI Content printenv Script Is Removed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Most Web Servers, including Apache installations have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for Apache installations is the script printenv. This script will print back to the requester all of the CGI environment variables which includes many server configuration details and system paths.

Rationale:

CGI programs have a long history of security bugs and problems associated with improperly accepting user-input. Since these programs are often targets of attackers, we need to make sure that there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs are not written for production use and consequently little thought was given to security in their development. The printenv script in particular will disclose inappropriate information about the web server including directory paths and detailed version and configuration information.

Solution

Perform the following to implement the recommended state:

Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives.

Remove the printenvdefault CGI in cgi-bin directory if it is installed.

# rm $APACHE_PREFIX/cgi-bin/printenv

Default Value:

The default source installation includes the printenv script. However, this script is not executable by default.

See Also

https://workbench.cisecurity.org/files/3021