[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] .htaccess on RaQ4's

Subject: Re: [cobalt-security] .htaccess on RaQ4's
From: "Cobalt - In The Q" <cobalt@xxxxxxxxxx>
Date: Wed, 30 Aug 2000 05:14:20 -0700

This is Cobalt RaQ4 default setting and by default it tells Apache to ignore
all htaccess files on the server!

We notified Cobalt and they responded saying "they were aware of the
problem".

The real question: if cobalt has been aware of this bug for some time, why
have they not issued a patch to repair this serious security issue on the
Raq4?

It's a simple fix that requires just changing the "AllowOverride None" to
"AllowOverride All' in the /home/sites section of the access.conf file and
then rebooting the server.

BTW: the RaQ2 and RaQ3 were released with the correct default setting set to
"AllowOverride All".

Jay Falconer
"In The Q" E-Commerce System
www.InTheQ.com

----- Original Message -----
From: "Martin Moeller" <martin@xxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Wednesday, August 30, 2000 6:01 AM
Subject: [cobalt-security] .htaccess on RaQ4's


>
> Hello guys and guyettes.
>
> The one RaQ4 we've got into production at this state had a very
> unfortunate default setting in the access.conf file in /etc/httpd/conf.
>
> /home/sites had a default of 'AllowOverride None', so no .htaccess or any
> other restrictiveness would ever work... I have not yet verified this on
> other RaQ4's but intend to soon. If this is really the default setting,
> can someone please give a reason for this?
>
> Also, I've had problems with PHP4 support until I changed the MIME type
> from application/x-httpd-php4 to application/x-httpd-php, which I believe
> is the standard anyway? Either no action has been associated with that
> MIME type or it was a typo?
>
> The precompiled version of PHP4 on the RaQ4 also seems to expect MySQL's
> socket file in /tmp/mysql.sock and not /var/lib/mysql/mysql.sock, which is
> where MySQL RPMS place it... A symlink works, but is somewhat kludgy...
>
> I'd like to hear anyone elses experiances with RaQ4's on the above or any
> other points and spark som discussion as to what settings are preferable.
>
>
> Regards,
>
> /Martin Moeller, Liga ApS, Denmark.
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] .htaccess on RaQ4's
  - From: Martin Moeller

Prev by Date: [cobalt-security] .htaccess on RaQ4's
Next by Date: Re: [cobalt-security] .htaccess on RaQ4's
Previous by thread: [cobalt-security] .htaccess on RaQ4's
Next by thread: Re: [cobalt-security] .htaccess on RaQ4's

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index