Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
OHS must have the AllowOverride directive set properly.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-64625 | OH12-1X-000193 | SV-79115r1_rule | Medium |
| Description |
|---|
| The property "AllowOverride" is used to allow directives to be set differently than those set for the overall architecture. When the property is not set to "None", OHS will check for directives in the htaccess files at each directory level until the requested resource is found for each URL request. Allowing parameters to be overridden at different levels of an application becomes a security risk as the overall security of the hosted application can change dependencies on the URL being accessed. Security management also becomes difficult as a misconfiguration can be mistakenly made. |
| STIG | Date |
|---|---|
| Oracle HTTP Server 12.1.3 Security Technical Implementation Guide | 2019-12-12 |
Details
| Check Text ( C-65367r1_chk ) |
|---|
| 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/ 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. If the "AllowOverride" directive is omitted or is not set to "None", this is a finding. |
| Fix Text (F-70555r1_fix) |
|---|
| 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/ 2. Search for the "AllowOverride" directive at the directory configuration scope. 3. Set the "AllowOverride" directive to "None", add the directive if it does not exist. |