STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to APACHE 2.2 Server for Windows Security Technical Implementation Guide

V-26327

CAT II (Medium)

The URL-path name must be set to the file path name or the directory path name.

Rule ID

SV-33185r1_rule

STIG

APACHE 2.2 Server for Windows Security Technical Implementation Guide

Version

V1R13

CCIs

None

Discussion

The ScriptAlias directive controls which directories the Apache server "sees" as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, the potential exists to expose the script source code.

Check Content

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptAlias

If any enabled ScriptAlias directive does not have matching URL-path and file-path/directory-path entries, this is a finding.

Example:

Not a finding:

ScriptAlias /cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

A finding:

ScriptAlias /script-cgi-bin/ “[Drive Letter]:/[directory path]/cgi-bin/

Fix Text

Modify the ScriptAlias directive so the URL-path and file-path/directory-path entries match.