4961565 2000-03-31 23:11 /45 rader/ Postmaster Mottagare: Bugtraq (import) <10418> Ärende: Cobalt apache configuration exposes .htaccess ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Message-ID: <20000330220757.28456.qmail@securityfocus.com> Date: Thu, 30 Mar 2000 22:07:57 -0000 Reply-To: Paul Schreiber <shrub@YAHOO.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Paul Schreiber <shrub@YAHOO.COM> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Following some discussion on the cobalt-users list, it seems that this problem affects both the Raq2 and Raq3. It likely affects other cobalt products, but I haven't confirmed it. I verified this on my Raq2. By default, raq-hosted sites expose .htaccess files to the world. The configuration files are located in /etc/httpd/conf/. Fix: Add these lines to your access.conf file and restart Apache. (This was taken from my debian install :). # Do not allow retrieval of the override files, # a standard security measure. <Files .htaccess> order allow,deny deny from all </Files> Annoyingly enough, if you modify this file, Cobalt will probably tell you your warranty is void. Interestingly enough, the access.conf file contains the following: # ignore .files #<Files "\.*"> #deny from all #</Files> (Note it is commented out.) Paul (4961565) ------------------------------------------ 4961958 2000-04-01 03:59 /47 rader/ Postmaster Mottagare: Bugtraq (import) <10421> Ärende: [ Cobalt ] Security Advisory -- 03.31.2000 ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <38E546D8.7C0711DF@cobalt.com> Date: Fri, 31 Mar 2000 16:46:16 -0800 Reply-To: Jeff Lovell <jlovell@COBALT.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Jeff Lovell <jlovell@COBALT.COM> X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM Cobalt Networks -- Security Advisory -- 03.31.2000 Problem: RaQ2 and RaQ3 allow remote users to view the contents of an .htaccess file contained within a public website. Relevant products and architectures Product Architecture Vulnerable Qube1 MIPS No Qube2 MIPS No RaQ1 MIPS No RaQ2 MIPS Yes RaQ3 x86 Yes If your system is at risk you can you can downloaded the relevant package and install it. These are beta versions of the packages, Cobalt is currently testing these packages. RaQ 2 - ftp://ftp.cobaltnet.com/pub/experimental/security/apache/RaQ2-All-Security-Point-2.97.pkg RaQ 3 - ftp://ftp.cobaltnet.com/pub/experimental/security/apache/RaQ3-All-Security-Point-2.4.pkg If you experience any problems with these packages please email jlovell@cobalt.com or security@cobalt.com. -- Jeff Lovell Software Engineer Cobalt Networks, Inc. (4961958) ------------------------------------------(Ombruten)