Cobalt RaQ contain a flaw that allows a malicious user to bypass restrictions imposed by .htaccess files. The flaw is due to RaQ servers assigning ownership of uploaded files to "httpd" instead of specific users. RaQ servers use 'cgiwrap' to ensure scripts are run as the user instead of httpd, but this can bypassed by creating a specially crafted .htaccess file containing parameters that will run the scripts under the 'httpd' user privileges.
Currently, there are no known workarounds or upgrades to correct this issue.
However, Cobalt Networks has released a patch to address this vulnerability.