• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Apache Multiview Vulnerability
 

Apache Multiview Vulnerability

on

  • 2,967 views

 

Statistics

Views

Total Views
2,967
Views on SlideShare
2,528
Embed Views
439

Actions

Likes
0
Downloads
1
Comments
0

3 Embeds 439

http://dunnesec.wordpress.com 250
http://dunne3.wordpress.com 128
http://dunnesec.com 61

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Vulnerability

Apache Multiview Vulnerability Apache Multiview Vulnerability Presentation Transcript

  • Apache -MultiViews Vulnerability
  • Apache HTTP Server Overview• Free, Based On Open Source Technology.• Multiple Scripting Language Support.• Runs On * Operating Systems.• Web Server With a modular design.• Simple, Powerful file-based configuration.
  • Apache Statistics
  • InterestingWhere did the Apache name come from?• A Patchy Server, since it was a set of software patches?
  • Actually!.• The name Apache was chosen out of respect to the NativeAmerican tribe Apache and its superior skills in warfare andstrategy.• It just sort of connoted: "Take no prisoners. Be kind ofaggressive and kick some ass."—Brian Behlendorf founding member of the Apache Group.
  • MultiViewsMultiViews is a per-directory optionCan be set with an Options directive withina <Directory>, <Location> or <Files> section in httpd.conforIf AllowOverride is properly set in .htaccess files.Note that Options All does not set MultiViews; you have to ask forit by name.
  • The effect of MultiViews is as followsIf the server receives a request for /some/dir/foo,if /some/dir has MultiViews enabled,and /some/dir/foo does notexist, then the server reads thedirectory looking for files named foo.*, and effectively fakesup a type map which names all those files, assigning themthe same media types and content-encodings it would haveif the client had asked for one of them by name. It thenchooses the best match to the clients requirements.
  • Example• Assume that you have a index.html file (or index.php), whichboth return text/html content type, and you request:• Then Apache will serve the file index.html. If another file wasthere, which is called index.gif, it wouldnt be served (due tothe Accept header we specified).
  • • The problem is that if you request a file, and write an invalidmime-type, Apache will present you with all of the options:• The response would be:• This reveals some files served by the server that might not bemeant for browsing.
  • Remedy• Disable MultiViews Option.• Change your httpd.conf file. A recommended configurationfor the requested directory should be in the following format:<Directory /{YOUR DIRECTORY}>Options FollowSymLinks</Directory>• Remove the MultiViews option from configuration.