Apache Multiview Vulnerability
3 likes15,845 views
MultiViews is an Apache HTTP Server option that allows content negotiation by serving files with similar names, like index.html and index.gif, based on the client's requirements. This can reveal files that may not be meant for browsing if an invalid MIME type is requested. The vulnerability is remedied by disabling the MultiViews option in the server configuration.
Apache Multiview Vulnerability
- 2. Apache HTTP Server Overview • Free, Based On Open Source Technology. • Multiple Scripting Language Support. • Runs On * Operating Systems. • Web Server With a modular design. • Simple, Powerful file-based configuration.
- 4. Interesting Where did the Apache name come from? • A Patchy Server, since it was a set of software patches?
- 5. Actually!. • The name Apache was chosen out of respect to the Native American tribe Apache and its superior skills in warfare and strategy. • It just sort of connoted: "Take no prisoners. Be kind of aggressive and kick some ass." —Brian Behlendorf founding member of the Apache Group.
- 7. MultiViews MultiViews is a per-directory option Can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf or If AllowOverride is properly set in .htaccess files. Note that Options All does not set MultiViews; you have to ask for it by name.
- 8. The effect of MultiViews is as follows If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does notexist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
- 9. Example • Assume that you have a index.html file (or index.php), which both return text/html content type, and you request: • Then Apache will serve the file index.html. If another file was there, which is called index.gif, it wouldn't be served (due to the Accept header we specified).
- 10. • The problem is that if you request a file, and write an invalid mime-type, Apache will present you with all of the options: • The response would be: • This reveals some files served by the server that might not be meant for browsing.
- 11. Remedy • Disable MultiViews Option. • Change your httpd.conf file. A recommended configuration for the requested directory should be in the following format: <Directory /{YOUR DIRECTORY}> Options FollowSymLinks </Directory> • Remove the MultiViews option from configuration.
Editor's Notes
- #7: Vulnerability