The OHS instance installation must not contain an .htaccess file.

From Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Part of SRG-APP-000516-WSR-000174

Associated with: CCI-000366

SV-79121r1_rule The OHS instance installation must not contain an .htaccess file.

Vulnerability discussion

.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".

Check content

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -print 3. If any .htaccess files are found, this is a finding.

Fix text

1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS 2. find . -name .htaccess -exec rm {} \;

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer