The WIse SECurity
[ Back ]
Saturday, July 14, 2007, 17:26
Multiviews Apache, Accept Requests and free listing
This is a small post about a way to easily get backup files on Apache web servers with MultiViews option enabled.
How the best match is chosen by Apache?
It depends on several Accept* headers in the client Request.
Let's see how it works:
Let's suppose i just saved an backup copy of my index.php on a Web Server with the MultiView option enabled.
If an attacker requests "index" without any extension:
the web server will reply with:
Now, it could be noticed that in the server response several interesting headers are out:
This means there is MultiViews enabled on / directory.
Let's see if in the request we use a "Accept:" header with an inexistent mime type:
the server will reply with:
aha! With a single request we get a listing of all the files!
And for free..as in free speech ;)
Well, ok. Not really *all* the files but every file with the same name requested and with an extension listed in mime-types file.
This means that if index.whatever is on the server it won't be listed.
Obviously an attacker could request every known extension for index.* but it would be a bit noisy, isn't it?
As usual i prefer to leave discussion open than give everything i think on the subject...so feel free to leave a comment.
...as in free beer :)
Tim Brown, Saturday, July 14, 2007, 18:40
Nice work :)
nEUrOO, Monday, July 16, 2007, 22:12
Nice find! I didn't thought about that type of testing, but this is definitely one of the checks for information disclosure!
Bunyamin Demir, Tuesday, July 17, 2007, 13:02
Stefano, nice work!
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.