HPE Community
Operating System - HP-UX
1752795 Members
6302 Online
108789 Solutions
New Discussion

Security Finding

 
Jonathan Grymes
Frequent Advisor

‎01-26-2016 11:07 AM

‎01-26-2016 11:07 AM

Security Finding

We recently had a security audit on our HP servers. Can files under /cgi-bin be removed? Any recomendation for securing these pages?

  • The Assessment Team discovered directories containing jsp and cgi scripts. These scripts provided the team with valuable information. For example, the team browsed to http://xx.x.x.82/cgi-bin/showuser.cgi and discovered the web service was running as the user www. The team was also able to browse to http://xx.x.x82/cgi-bin/man2html and search for man pages. http://xx.x.x82/cgi-bin/printenv provided environment variable information
  • Remove any unnecessary default directories or script.

I found these locations:

# find . -name cgi-bin

./opt/hpsmh/data/cgi-bin

./opt/hpws22/apache/cgi-bin

./opt/hpws22/apache/hpws_docs/.hp_docs/cgi-bin

./opt/hpws22/tomcat/hpws_docs/.hp_docs/cgi-bin

./opt/hpws22/hp_docs/cgi-bin

./opt/hpws/xmltools/hpws_docs/.hp_docs/cgi-bin

./opt/hpws/hp_docs/cgi-bin

#

 

Thanks

Jon

Reply
1 REPLY 1
Bill Hassell
Honored Contributor

‎01-26-2016 05:35 PM

‎01-26-2016 05:35 PM

Re: Security Finding

You can remove the finding by stopping the Apache web server. All HP-UX servers will have scripts in cgi-bin as well as jsp files. The directories are part of the HP-UX tools such as SMH. Removing the files will permanently disable several system admin web-based services such as SMH. 

This finding is a bit strange. Any computer that has web pages will have these directories. Removing them causes these pages to stop working. This isn't just for HP-UX. This finding would affect Linux, Solaris, AIX, anything that is running web pages. Since removing these files would cripple the functionality, you need to ask the network team about creating an isolated subnet with restricted access.



Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.