You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/07/05 14:42:48 UTC
[Bug 62524] New: Multiviews - Information Disclosure
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
Bug ID: 62524
Summary: Multiviews - Information Disclosure
Product: Apache httpd-2
Version: 2.2.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_negotiation
Assignee: bugs@httpd.apache.org
Reporter: richard.hawkesford@outlook.com
Target Milestone: ---
The following is tested on:
Apache/2.4.29 (Ubuntu)
Apache/2.4.25 (Debian)
Apache/2.4.18 (Ubuntu)
Fresh install's with multiviews enabled like this:
<Directory /var/www/html>
Options Multiviews
</Directory>
Create a file "/var/www/html/dir/test.png"
Try to access the following URL http://192.168.1.32/dir/test/fake.png
You get the following 404 error:
Not Found
The requested URL /dir/test.png/fake.png was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80
This also works if you use a different extension like this:
Try to access the following URL http://192.168.1.32/dir/test/fake.html
You get the following 404 error:
Not Found
The requested URL /dir/test.png/fake.html was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80
Is this working as intended? or is this a bug/information disclosure?
Richard
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
--- Comment #1 from Richard Hawkesford <ri...@outlook.com> ---
Side note:
requests to https://192.168.1.30/dir/test/fake.html
Bypass the .htaccess "ErrorDocument 404" and have the wrong port number?
Not Found
The requested URL /dir/test/fake.html was not found on this server.
Apache Server at 192.168.1.30 Port 80
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #5 from William A. Rowe Jr. <wr...@apache.org> ---
This behavior looks entirely correct.
If you do not want files of another extension to be shown, turn off multiviews.
Httpd will always convey these names to the client, to help the cache
disambiguate between different representations.
It is certainly confusing, but that isn't due to multiviews. You have tripped
over AcceptPathInfo, a different feature which exposes paths beneath any type
of resource. http://svn.apache.org/viewvc/ is but one example; those svn files
are all served by the viewvc script.
If you believe there is still an issue after disabling these features, you can
reach out to security@httpd.apache.org, but I see no reason not to discuss the
confusion here.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.2.29 |2.4.29
--- Comment #4 from Eric Covener <co...@gmail.com> ---
Please report security issues directly and individually to security@apache.org
in the future.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
--- Comment #2 from Richard Hawkesford <ri...@outlook.com> ---
And on the live server (HTTPS):
Forbidden
You don't have permission to access /.htaccess/testing on this server.
Apache Server at www.xxx.com Port 80
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
--- Comment #3 from Richard Hawkesford <ri...@outlook.com> ---
The above totally bypassing the custom 404 setups.
And confirming that the file exists.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org