Bugtraq mailing list archives
Cobalt apache configuration exposes .htaccess
From: shrub () YAHOO COM (Paul Schreiber)
Date: Thu, 30 Mar 2000 22:07:57 -0000
Following some discussion on the cobalt-users list, it seems that this problem affects both the Raq2 and Raq3. It likely affects other cobalt products, but I haven't confirmed it. I verified this on my Raq2. By default, raq-hosted sites expose .htaccess files to the world. The configuration files are located in /etc/httpd/conf/. Fix: Add these lines to your access.conf file and restart Apache. (This was taken from my debian install :). # Do not allow retrieval of the override files, # a standard security measure. <Files .htaccess> order allow,deny deny from all </Files> Annoyingly enough, if you modify this file, Cobalt will probably tell you your warranty is void. Interestingly enough, the access.conf file contains the following: # ignore .files #<Files "\.*"> #deny from all #</Files> (Note it is commented out.) Paul
Current thread:
- Re: Local Denial-of-Service attack against Linux, (continued)
- Re: Local Denial-of-Service attack against Linux Michal Zalewski (Mar 24)
- Re: Local Denial-of-Service attack against Linux dapozza (Mar 24)
- Hide Drives does not work with OUTLOOK 98 - Summary of Answers (W InNT4) DeAvillez, Carlos (Mar 24)
- Windows 2000 Internet Server Security Configuration Tool Microsoft Security Response Center (Mar 24)
- Irix Objectserver remote exploit Marcy Abene (Mar 29)
- New ZZ v1.2 Simple Nomad (Mar 29)
- [RHSA-2000:008-01] ircii buffer overflow bugzilla () REDHAT COM (Mar 30)
- Microsoft Security Bulletin (MS00-019) Microsoft Product Security (Mar 30)
- Microsoft Security Bulletin (MS00-021) Microsoft Product Security (Mar 30)
- Napster, Inc. response to Colten Edwards Elias Levy (Mar 30)
- Cobalt apache configuration exposes .htaccess Paul Schreiber (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Danny Crawford (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Dylan Griffiths (Mar 30)
- Alert: MS Index Server (CISADV000330) Cerberus Security Team (Mar 30)
- Webstar 4.0 Buffer overflow vulnerability Ilhom Djalilov (Mar 31)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Mar 31)
- [ Cobalt ] Security Advisory -- 03.31.2000 Jeff Lovell (Mar 31)
- SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application Todd Beebe (Mar 31)
- Windmail allow web user get any file Frankie Zie (Mar 25)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 26)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 31)