You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/07/05 14:42:48 UTC

[Bug 62524] New: Multiviews - Information Disclosure

https://bz.apache.org/bugzilla/show_bug.cgi?id=62524

            Bug ID: 62524
           Summary: Multiviews - Information Disclosure
           Product: Apache httpd-2
           Version: 2.2.29
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_negotiation
          Assignee: bugs@httpd.apache.org
          Reporter: richard.hawkesford@outlook.com
  Target Milestone: ---

The following is tested on:

Apache/2.4.29 (Ubuntu)
Apache/2.4.25 (Debian)
Apache/2.4.18 (Ubuntu)

Fresh install's with multiviews enabled like this:

<Directory /var/www/html>
   Options Multiviews
</Directory>

Create a file "/var/www/html/dir/test.png"

Try to access the following URL http://192.168.1.32/dir/test/fake.png

You get the following 404 error:

Not Found
The requested URL /dir/test.png/fake.png was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80

This also works if you use a different extension like this:

Try to access the following URL http://192.168.1.32/dir/test/fake.html

You get the following 404 error:

Not Found
The requested URL /dir/test.png/fake.html was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80

Is this working as intended? or is this a bug/information disclosure?

Richard

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62524] Multiviews - Information Disclosure

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62524

--- Comment #1 from Richard Hawkesford <ri...@outlook.com> ---
Side note:

requests to https://192.168.1.30/dir/test/fake.html

Bypass the .htaccess "ErrorDocument 404" and have the wrong port number?

Not Found
The requested URL /dir/test/fake.html was not found on this server.
Apache Server at 192.168.1.30 Port 80

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62524] Multiviews - Information Disclosure

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62524

William A. Rowe Jr. <wr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #5 from William A. Rowe Jr. <wr...@apache.org> ---
This behavior looks entirely correct.

If you do not want files of another extension to be shown, turn off multiviews.
Httpd will always convey these names to the client, to help the cache
disambiguate between different representations.

It is certainly confusing, but that isn't due to multiviews. You have tripped
over AcceptPathInfo, a different feature which exposes paths beneath any type
of resource. http://svn.apache.org/viewvc/ is but one example; those svn files
are all served by the viewvc script.

If you believe there is still an issue after disabling these features, you can
reach out to security@httpd.apache.org, but I see no reason not to discuss the
confusion here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62524] Multiviews - Information Disclosure

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62524

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.2.29                      |2.4.29

--- Comment #4 from Eric Covener <co...@gmail.com> ---
Please report security issues directly and individually to security@apache.org
in the future.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62524] Multiviews - Information Disclosure

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62524

--- Comment #2 from Richard Hawkesford <ri...@outlook.com> ---
And on the live server (HTTPS):

Forbidden
You don't have permission to access /.htaccess/testing on this server.
Apache Server at www.xxx.com Port 80

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62524] Multiviews - Information Disclosure

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62524

--- Comment #3 from Richard Hawkesford <ri...@outlook.com> ---
The above totally bypassing the custom 404 setups. 

And confirming that the file exists.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org