Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Blind xss
Next

2

Share

Apache Multiview Vulnerability

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Apache Multiview Vulnerability

  1. 1. Apache -MultiViews Vulnerability
  2. 2. Apache HTTP Server Overview• Free, Based On Open Source Technology.• Multiple Scripting Language Support.• Runs On * Operating Systems.• Web Server With a modular design.• Simple, Powerful file-based configuration.
  3. 3. Apache Statistics
  4. 4. InterestingWhere did the Apache name come from?• A Patchy Server, since it was a set of software patches?
  5. 5. Actually!.• The name Apache was chosen out of respect to the NativeAmerican tribe Apache and its superior skills in warfare andstrategy.• It just sort of connoted: "Take no prisoners. Be kind ofaggressive and kick some ass."—Brian Behlendorf founding member of the Apache Group.
  6. 6. MultiViewsMultiViews is a per-directory optionCan be set with an Options directive withina <Directory>, <Location> or <Files> section in httpd.conforIf AllowOverride is properly set in .htaccess files.Note that Options All does not set MultiViews; you have to ask forit by name.
  7. 7. The effect of MultiViews is as followsIf the server receives a request for /some/dir/foo,if /some/dir has MultiViews enabled,and /some/dir/foo does notexist, then the server reads thedirectory looking for files named foo.*, and effectively fakesup a type map which names all those files, assigning themthe same media types and content-encodings it would haveif the client had asked for one of them by name. It thenchooses the best match to the clients requirements.
  8. 8. Example• Assume that you have a index.html file (or index.php), whichboth return text/html content type, and you request:• Then Apache will serve the file index.html. If another file wasthere, which is called index.gif, it wouldnt be served (due tothe Accept header we specified).
  9. 9. • The problem is that if you request a file, and write an invalidmime-type, Apache will present you with all of the options:• The response would be:• This reveals some files served by the server that might not bemeant for browsing.
  10. 10. Remedy• Disable MultiViews Option.• Change your httpd.conf file. A recommended configurationfor the requested directory should be in the following format:<Directory /{YOUR DIRECTORY}>Options FollowSymLinks</Directory>• Remove the MultiViews option from configuration.
  • BrunoMarquesBustaman

    May. 5, 2016
  • magnologan

    May. 5, 2016

Views

Total views

14,608

On Slideshare

0

From embeds

0

Number of embeds

4,814

Actions

Downloads

1

Shares

0

Comments

0

Likes

2

×