[14459] in bugtraq
Cobalt apache configuration exposes .htaccess
daemon@ATHENA.MIT.EDU (Paul Schreiber)
Fri Mar 31 16:14:52 2000
Message-Id: <20000330220757.28456.qmail@securityfocus.com>
Date: Thu, 30 Mar 2000 22:07:57 -0000
Reply-To: Paul Schreiber <shrub@YAHOO.COM>
From: Paul Schreiber <shrub@YAHOO.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Following some discussion on the cobalt-users list, it seems
that this problem affects both the Raq2 and Raq3. It likely
affects other cobalt products, but I haven't confirmed it. I
verified this on my Raq2.
By default, raq-hosted sites expose .htaccess files to the
world.
The configuration files are located in /etc/httpd/conf/.
Fix: Add these lines to your access.conf file and restart
Apache. (This was taken from my debian install :).
# Do not allow retrieval of the override files,
# a standard security measure.
<Files .htaccess>
order allow,deny
deny from all
</Files>
Annoyingly enough, if you modify this file, Cobalt will
probably tell you your warranty is void.
Interestingly enough, the access.conf file contains the
following:
# ignore .files
#<Files "\.*">
#deny from all
#</Files>
(Note it is commented out.)
Paul
