Security Finding

Jonathan Grymes — Tue, 26 Jan 2016 19:07:09 GMT

We recently had a security audit on our HP servers. Can files under /cgi-bin be removed? Any recomendation for securing these pages?

The Assessment Team discovered directories containing jsp and cgi scripts. These scripts provided the team with valuable information. For example, the team browsed to http://xx.x.x.82/cgi-bin/showuser.cgi and discovered the web service was running as the user www. The team was also able to browse to http://xx.x.x82/cgi-bin/man2html and search for man pages. http://xx.x.x82/cgi-bin/printenv provided environment variable information

Remove any unnecessary default directories or script.

I found these locations:

# find . -name cgi-bin

./opt/hpsmh/data/cgi-bin

./opt/hpws22/apache/cgi-bin

./opt/hpws22/apache/hpws_docs/.hp_docs/cgi-bin

./opt/hpws22/tomcat/hpws_docs/.hp_docs/cgi-bin

./opt/hpws22/hp_docs/cgi-bin

./opt/hpws/xmltools/hpws_docs/.hp_docs/cgi-bin

./opt/hpws/hp_docs/cgi-bin

Thanks

Jon

Re: Security Finding

Bill Hassell — Wed, 27 Jan 2016 01:35:57 GMT

You can remove the finding by stopping the Apache web server. All HP-UX servers will have scripts in cgi-bin as well as jsp files. The directories are part of the HP-UX tools such as SMH. Removing the files will permanently disable several system admin web-based services such as SMH.

This finding is a bit strange. Any computer that has web pages will have these directories. Removing them causes these pages to stop working. This isn't just for HP-UX. This finding would affect Linux, Solaris, AIX, anything that is running web pages. Since removing these files would cripple the functionality, you need to ask the network team about creating an isolated subnet with restricted access.

topic Re: Security Finding in Operating System - HP-UX

Security Finding

Re: Security Finding