UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The OHS instance installation must not contain an .htaccess file.


Overview

Finding ID Version Rule ID IA Controls Severity
V-64631 OH12-1X-000196 SV-79121r1_rule Medium
Description
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".
STIG Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide 2019-12-12

Details

Check Text ( C-65373r1_chk )
1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS

2. find . -name .htaccess -print

3. If any .htaccess files are found, this is a finding.
Fix Text (F-70561r1_fix)
1. cd $DOMAIN_HOME/config/fmwconfig/components/OHS

2. find . -name .htaccess -exec rm {} \;