SlideShare a Scribd company logo

Apache Multiview Vulnerability

Ronan Dunne, CEH, SSCP
Ronan Dunne, CEH, SSCP
Technology
1 of 11
Apache - MultiViews Vulnerability
Apache HTTP Server Overview • Free, Based On Open Source Technology. • Multiple Scripting Language Support. • Runs On * Operating Systems. • Web Server With a modular design. • Simple, Powerful file-based configuration.
Apache Statistics
Interesting Where did the Apache name come from? • A Patchy Server, since it was a set of software patches?
Actually!. • The name Apache was chosen out of respect to the Native American tribe Apache and its superior skills in warfare and strategy. • It just sort of connoted: "Take no prisoners. Be kind of aggressive and kick some ass." —Brian Behlendorf founding member of the Apache Group.
MultiViews MultiViews is a per-directory option Can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf or If AllowOverride is properly set in .htaccess files. Note that Options All does not set MultiViews; you have to ask for it by name.
The effect of MultiViews is as follows If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does notexist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
Example • Assume that you have a index.html file (or index.php), which both return text/html content type, and you request: • Then Apache will serve the file index.html. If another file was there, which is called index.gif, it wouldn't be served (due to the Accept header we specified).
• The problem is that if you request a file, and write an invalid mime-type, Apache will present you with all of the options: • The response would be: • This reveals some files served by the server that might not be meant for browsing.
Remedy • Disable MultiViews Option. • Change your httpd.conf file. A recommended configuration for the requested directory should be in the following format: <Directory /{YOUR DIRECTORY}> Options FollowSymLinks </Directory> • Remove the MultiViews option from configuration.

Recommended

Html5 Basics
Html5 BasicsHtml5 Basics
Html5 BasicsPankaj Bajaj
 
HTML5 Tutorial
HTML5 TutorialHTML5 Tutorial
HTML5 TutorialAvinash Malhotra
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINXNGINX, Inc.
 
Cookies & Session
Cookies & SessionCookies & Session
Cookies & Sessionuniversity of education,Lahore
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginnersSingsys Pte Ltd
 
HTML CSS & Javascript
HTML CSS & JavascriptHTML CSS & Javascript
HTML CSS & JavascriptDavid Lindkvist
 
html5.ppt
html5.ppthtml5.ppt
html5.pptNiharika Gupta
 

Recommended

Html5 Basics
Html5 BasicsHtml5 Basics
Html5 BasicsPankaj Bajaj
 
HTML5 Tutorial
HTML5 TutorialHTML5 Tutorial
HTML5 TutorialAvinash Malhotra
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINXNGINX, Inc.
 
Cookies & Session
Cookies & SessionCookies & Session
Cookies & Sessionuniversity of education,Lahore
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginnersSingsys Pte Ltd
 
HTML CSS & Javascript
HTML CSS & JavascriptHTML CSS & Javascript
HTML CSS & JavascriptDavid Lindkvist
 
html5.ppt
html5.ppthtml5.ppt
html5.pptNiharika Gupta
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsVibrant Technologies & Computers
 
The secret life of a dispatcher (Adobe CQ AEM)
The secret life of a dispatcher (Adobe CQ AEM)The secret life of a dispatcher (Adobe CQ AEM)
The secret life of a dispatcher (Adobe CQ AEM)Venugopal Gummadala
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
Drone CI/CD Platform
Drone CI/CD PlatformDrone CI/CD Platform
Drone CI/CD PlatformBo-Yi Wu
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookieswww.netgains.org
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
The Complete HTML
The Complete HTMLThe Complete HTML
The Complete HTMLRohit Buddabathina
 
Scalable Django Architecture
Scalable Django ArchitectureScalable Django Architecture
Scalable Django ArchitectureRami Sayar
 
Intro to HTML5 audio tag
Intro to HTML5 audio tagIntro to HTML5 audio tag
Intro to HTML5 audio tagsatejsahu
 
JavaScript - Chapter 3 - Introduction
JavaScript - Chapter 3 - Introduction JavaScript - Chapter 3 - Introduction
JavaScript - Chapter 3 - IntroductionWebStackAcademy
 
jQuery Ajax
jQuery AjaxjQuery Ajax
jQuery AjaxAnand Kumar Rajana
 
FYBSC IT Web Programming Unit IV PHP and MySQL
FYBSC IT Web Programming Unit IV PHP and MySQLFYBSC IT Web Programming Unit IV PHP and MySQL
FYBSC IT Web Programming Unit IV PHP and MySQLArti Parab Academics
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationJIGAR MAKHIJA
 
Php
PhpPhp
PhpShagufta shaheen
 
Html audio video
Html audio videoHtml audio video
Html audio videoMuhammad Ehtisham Siddiqui
 
Php cookies
Php cookiesPhp cookies
Php cookiesJIGAR MAKHIJA
 
Nginx
NginxNginx
NginxDhrubaji Mandal ♛
 
Client side &amp; Server side Scripting
Client side &amp; Server side Scripting Client side &amp; Server side Scripting
Client side &amp; Server side Scripting Webtech Learning
 
Php basics
Php basicsPhp basics
Php basicsJamshid Hashimi
 
Blind xss
Blind xssBlind xss
Blind xssRonan Dunne, CEH, SSCP
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
 

More Related Content

What's hot

Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
The secret life of a dispatcher (Adobe CQ AEM)
The secret life of a dispatcher (Adobe CQ AEM)The secret life of a dispatcher (Adobe CQ AEM)
The secret life of a dispatcher (Adobe CQ AEM)Venugopal Gummadala
 
Drone CI/CD Platform
Drone CI/CD PlatformDrone CI/CD Platform
Drone CI/CD PlatformBo-Yi Wu
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Scalable Django Architecture
Scalable Django ArchitectureScalable Django Architecture
Scalable Django ArchitectureRami Sayar
 
Intro to HTML5 audio tag
Intro to HTML5 audio tagIntro to HTML5 audio tag
Intro to HTML5 audio tagsatejsahu
 
JavaScript - Chapter 3 - Introduction
JavaScript - Chapter 3 - Introduction JavaScript - Chapter 3 - Introduction
JavaScript - Chapter 3 - IntroductionWebStackAcademy
 
FYBSC IT Web Programming Unit IV PHP and MySQL
FYBSC IT Web Programming Unit IV PHP and MySQLFYBSC IT Web Programming Unit IV PHP and MySQL
FYBSC IT Web Programming Unit IV PHP and MySQLArti Parab Academics
 
Client side &amp; Server side Scripting
Client side &amp; Server side Scripting Client side &amp; Server side Scripting
Client side &amp; Server side Scripting Webtech Learning
 

What's hot (20)

Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and Sessions
 
The secret life of a dispatcher (Adobe CQ AEM)
The secret life of a dispatcher (Adobe CQ AEM)The secret life of a dispatcher (Adobe CQ AEM)
The secret life of a dispatcher (Adobe CQ AEM)
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
Drone CI/CD Platform
Drone CI/CD PlatformDrone CI/CD Platform
Drone CI/CD Platform
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and Sessions
 
The Complete HTML
The Complete HTMLThe Complete HTML
The Complete HTML
 
Scalable Django Architecture
Scalable Django ArchitectureScalable Django Architecture
Scalable Django Architecture
 
Intro to HTML5 audio tag
Intro to HTML5 audio tagIntro to HTML5 audio tag
Intro to HTML5 audio tag
 
JavaScript - Chapter 3 - Introduction
JavaScript - Chapter 3 - Introduction JavaScript - Chapter 3 - Introduction
JavaScript - Chapter 3 - Introduction
 
jQuery Ajax
jQuery AjaxjQuery Ajax
jQuery Ajax
 
FYBSC IT Web Programming Unit IV PHP and MySQL
FYBSC IT Web Programming Unit IV PHP and MySQLFYBSC IT Web Programming Unit IV PHP and MySQL
FYBSC IT Web Programming Unit IV PHP and MySQL
 
PHP Presentation
PHP PresentationPHP Presentation
PHP Presentation
 
Php
PhpPhp
Php
 
Html audio video
Html audio videoHtml audio video
Html audio video
 
Php cookies
Php cookiesPhp cookies
Php cookies
 
Nginx
NginxNginx
Nginx
 
Client side &amp; Server side Scripting
Client side &amp; Server side Scripting Client side &amp; Server side Scripting
Client side &amp; Server side Scripting
 
Php basics
Php basicsPhp basics
Php basics
 

Viewers also liked

Jon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp CollaboratorJon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp Collaboratorcentralohioissa
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksAutomated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksLionel Briand
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 

Viewers also liked (20)

Blind xss
Blind xssBlind xss
Blind xss
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
 
Click jacking
Click jackingClick jacking
Click jacking
 
Mime sniffing
Mime sniffingMime sniffing
Mime sniffing
 
Unicode
UnicodeUnicode
Unicode
 
Qr codes
Qr codesQr codes
Qr codes
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Jon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp CollaboratorJon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp Collaborator
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Automated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection AttacksAutomated and Effective Testing of Web Services for XML Injection Attacks
Automated and Effective Testing of Web Services for XML Injection Attacks
 
Content security policy
Content security policyContent security policy
Content security policy
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMware
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 

Similar to Apache Multiview Vulnerability

Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Serverwebhostingguy
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Serverwebhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptwebhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptwebhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptwebhostingguy
 

Similar to Apache Multiview Vulnerability (20)

Apache
ApacheApache
Apache
 
.htaccess
.htaccess.htaccess
.htaccess
 
Lesson 9. The Apache Web Server
Lesson 9. The Apache Web ServerLesson 9. The Apache Web Server
Lesson 9. The Apache Web Server
 
Apache
ApacheApache
Apache
 
Intro apache
Intro apacheIntro apache
Intro apache
 
sfsa
sfsasfsa
sfsa
 
test pdf
test pdftest pdf
test pdf
 
test
testtest
test
 
testing pdf doc
testing pdf doctesting pdf doc
testing pdf doc
 
Apache ppt
Apache pptApache ppt
Apache ppt
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Server
 
php
phpphp
php
 
php
phpphp
php
 
Apache
ApacheApache
Apache
 
Php 1
Php 1Php 1
Php 1
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Asp folders and web configurations
Asp folders and web configurationsAsp folders and web configurations
Asp folders and web configurations
 
Php intro
Php introPhp intro
Php intro
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Apache Multiview Vulnerability

  • 2. Apache HTTP Server Overview • Free, Based On Open Source Technology. • Multiple Scripting Language Support. • Runs On * Operating Systems. • Web Server With a modular design. • Simple, Powerful file-based configuration.
  • 4. Interesting Where did the Apache name come from? • A Patchy Server, since it was a set of software patches?
  • 5. Actually!. • The name Apache was chosen out of respect to the Native American tribe Apache and its superior skills in warfare and strategy. • It just sort of connoted: "Take no prisoners. Be kind of aggressive and kick some ass." —Brian Behlendorf founding member of the Apache Group.
  • 6.
  • 7. MultiViews MultiViews is a per-directory option Can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf or If AllowOverride is properly set in .htaccess files. Note that Options All does not set MultiViews; you have to ask for it by name.
  • 8. The effect of MultiViews is as follows If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does notexist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
  • 9. Example • Assume that you have a index.html file (or index.php), which both return text/html content type, and you request: • Then Apache will serve the file index.html. If another file was there, which is called index.gif, it wouldn't be served (due to the Accept header we specified).
  • 10. • The problem is that if you request a file, and write an invalid mime-type, Apache will present you with all of the options: • The response would be: • This reveals some files served by the server that might not be meant for browsing.
  • 11. Remedy • Disable MultiViews Option. • Change your httpd.conf file. A recommended configuration for the requested directory should be in the following format: <Directory /{YOUR DIRECTORY}> Options FollowSymLinks </Directory> • Remove the MultiViews option from configuration.

Editor's Notes

  1. Vulnerability