Apache Multiview Vulnerability

5,685
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
5,685
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Vulnerability
  • Apache Multiview Vulnerability

    1. 1. Apache -MultiViews Vulnerability
    2. 2. Apache HTTP Server Overview• Free, Based On Open Source Technology.• Multiple Scripting Language Support.• Runs On * Operating Systems.• Web Server With a modular design.• Simple, Powerful file-based configuration.
    3. 3. Apache Statistics
    4. 4. InterestingWhere did the Apache name come from?• A Patchy Server, since it was a set of software patches?
    5. 5. Actually!.• The name Apache was chosen out of respect to the NativeAmerican tribe Apache and its superior skills in warfare andstrategy.• It just sort of connoted: "Take no prisoners. Be kind ofaggressive and kick some ass."—Brian Behlendorf founding member of the Apache Group.
    6. 6. MultiViewsMultiViews is a per-directory optionCan be set with an Options directive withina <Directory>, <Location> or <Files> section in httpd.conforIf AllowOverride is properly set in .htaccess files.Note that Options All does not set MultiViews; you have to ask forit by name.
    7. 7. The effect of MultiViews is as followsIf the server receives a request for /some/dir/foo,if /some/dir has MultiViews enabled,and /some/dir/foo does notexist, then the server reads thedirectory looking for files named foo.*, and effectively fakesup a type map which names all those files, assigning themthe same media types and content-encodings it would haveif the client had asked for one of them by name. It thenchooses the best match to the clients requirements.
    8. 8. Example• Assume that you have a index.html file (or index.php), whichboth return text/html content type, and you request:• Then Apache will serve the file index.html. If another file wasthere, which is called index.gif, it wouldnt be served (due tothe Accept header we specified).
    9. 9. • The problem is that if you request a file, and write an invalidmime-type, Apache will present you with all of the options:• The response would be:• This reveals some files served by the server that might not bemeant for browsing.
    10. 10. Remedy• Disable MultiViews Option.• Change your httpd.conf file. A recommended configurationfor the requested directory should be in the following format:<Directory /{YOUR DIRECTORY}>Options FollowSymLinks</Directory>• Remove the MultiViews option from configuration.

    ×