The URL-path name must be set to the file path name or the directory path name.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-26327	WA00560	WA00560 W22	SV-33185r1_rule	2018-12-24	1

Description
The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the potential exists to expose the script source code.

ℹ️ Check
Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding. Example: Not a finding: ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/ A finding: ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

ℹ️ Check

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding. Example: Not a finding: ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/ A finding: ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

✔️ Fix
Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match.