CCE-27764-0| Platform: apache-httpd2.2 | Date: (C)2013-02-19 (M)2022-10-10 |
The Apache "Includes" setting for all "Options" directives should be configured appropriately.
Parameter:
(1) Includes / -Includes / +Includes / None
Technical Mechanism:
(1) Apache configuration file: Options directive
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : | Attack Vector: |
| Exploit Score: | Attack Complexity: |
| Impact Score: | Privileges Required: |
| Severity: | User Interaction: |
| Vector: | Scope: |
| | Confidentiality: |
| | Integrity: |
| | Availability: |
| | |
References: | Resource Id | Reference |
|---|
| CIS Security Configuration Benchmark For Apache Web Server 2.2 Version 3.1.0 June 11th, 2012 | 1.5.3 Minimize Options for Other Directories Includes & IncludesNOEXEC ��� The IncludesNOEXEC option should only be needed when server side includes are required. The full Includes option should not be used as it also allows execution of arbitrary shell commands. Page 35 |
| DISA STIG Apache SERVER 2.2 for Windows Release: 1 Benchmark Date: 23 Nov 2011 | Rule Title: Server side includes (SSIs) must run with execution capability disabled.
STIG ID: WA000-WWA054 W22 Rule ID: SV-33003r1_rule Vuln ID: V-13733
Severity: CAT I Class: Unclass |
| DISA STIG Apache SERVER 2.2 for Unix Release: 1 Benchmark Date: 23 Nov 2011 | Rule Title: Server side includes (SSIs) must run with execution capability disabled.
STIG ID: WA000-WWA054 A22 Rule ID: SV-32753r1_rule Vuln ID: V-13733
Severity: CAT I Class: Unclass |
