Apache mod_negotiation Alternative Filename Disclosure

medium Web App Scanning Plugin ID 113165

Synopsis

Apache mod_negotiation Alternative Filename Disclosure

Description

Apache web server configured with mod_negotiation and Multiviews enabled may, on receipt of a crafted invalid request with a extension-less filename return a pseudo directory listing of matching resources with known mime types. This feature may be abused by attackers to discover hidden resources on a server without resort to brute-force methods. The scanner has detected files on the server using this technique.

Solution

If files are not required, then they should be removed from the web root and/or the application directory or restricted by additional access controls. The removal of Multiviews in the Apache config could be used to avoid disclosing the presence of these files using this method but should not be considered a complete solution as it may only hinder an attacker discovering them.

See Also

http://www.wisec.it/sectou.php?id=4698ebdc59d15

https://httpd.apache.org/docs/2.4/mod/mod_negotiation.html

https://www.ush.it/2008/07/02/mod_negotiation-directory-listing-filename-bruteforcing/

Plugin Details

Severity: Medium

ID: 113165

Type: remote

Family: Web Servers

Published: 3/8/2022

Updated: 5/16/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information