The OHS instance configuration must not reference directories that contain an .htaccess file.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64633	OH12-1X-000197	SV-79123r1_rule		Medium

Description
.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".

Description

.htaccess files are used to override settings in the OHS configuration files. The placement of the .htaccess file is also important as the settings will affect the directory where the file is located and any subdirectories below. Allowing the use of .htaccess files, the hosted application security posture and overall OHS posture could change dependent on the URL being accessed. Allowing the override of parameters in .htaccess files makes it difficult to truly know the security posture of the system and it also makes it difficult to understand what the security posture may have been if an attack is successful. To thwart the overriding of parameters, .htaccess files must not be used and the "AllowOverride" parameter must be set to "none".

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2019-12-12

Details

Check Text ( C-65375r1_chk )
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. Check for the existence of any .htaccess files in the aforementioned locations (e.g., find . -name .htaccess -print). 5. If any .htaccess files are found, this is a finding.

Check Text ( C-65375r1_chk )

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "" directives at the server and virtual host configuration scopes.

3. Go to the location specified as the value for each "" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs).

4. Check for the existence of any .htaccess files in the aforementioned locations (e.g., find . -name .htaccess -print).

5. If any .htaccess files are found, this is a finding.

Fix Text (F-70563r1_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "" directives at the server and virtual host configuration scopes. 3. Go to the location specified as the value for each "" directive (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/htdocs). 4. find . -name .htaccess -exec rm {} \;

Fix Text (F-70563r1_fix)