Date: Thu, 30 Mar 2000 22:07:57 -0000 From: Paul Schreiber <shrub@YAHOO.COM> Subject: Cobalt apache configuration exposes .htaccess To: BUGTRAQ@SECURITYFOCUS.COM Following some discussion on the cobalt-users list, it seems that this problem affects both the Raq2 and Raq3. It likely affects other cobalt products, but I haven't confirmed it. I verified this on my Raq2. By default, raq-hosted sites expose .htaccess files to the world. The configuration files are located in /etc/httpd/conf/. Fix: Add these lines to your access.conf file and restart Apache. (This was taken from my debian install :). # Do not allow retrieval of the override files, # a standard security measure. <Files .htaccess> order allow,deny deny from all </Files> Annoyingly enough, if you modify this file, Cobalt will probably tell you your warranty is void. Interestingly enough, the access.conf file contains the following: # ignore .files #<Files "\.*"> #deny from all #</Files> (Note it is commented out.) Paul