Symbolic links must not be used in the web content directory tree.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-2227 | WG360 | WG360 A22 | SV-30576r1_rule | 2019-01-07 | 1 |
| Description |
|---|
| A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory. |
| ℹ️ Check |
|---|
| Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs). Use ls –al. An entry, such as the following, would indicate the presence and use of symbolic links: lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file: <Directory /[website root dir]> Options FollowSymLinks AllowOverride None </Directory> The above configuration is incorrect and is a finding. The correct configuration is: <Directory /[website root dir]> Options SymLinksIfOwnerMatch AllowOverride None </Directory> Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content. |
| ✔️ Fix |
|---|
| Disable symbolic links. |