1. Introduction
Apache mod_negotiation Alternative Filename Disclosure is a vulnerability in Apache web servers where enabling both mod_negotiation and Multiviews can allow attackers to discover hidden resources on the server by requesting files with invalid extensions. This could lead to information disclosure, potentially revealing sensitive data or internal application structure. Confidentiality may be impacted if hidden files are exposed.
2. Technical Explanation
The vulnerability occurs when Apache is configured with mod_negotiation and Multiviews enabled. When a request for a file without an extension is received, the server attempts to find matching resources based on known mime types. This process can reveal pseudo directory listings of files that would otherwise be hidden. An attacker could exploit this by requesting various filenames without extensions to map out existing resources.
- Root cause: Multiviews enabled in conjunction with mod_negotiation allows the server to attempt content negotiation on extension-less requests, exposing file names.
- Exploit mechanism: An attacker sends a request for a non-existent file without an extension (e.g., `http://example.com/test`). The server attempts to find matching files with extensions and returns a directory listing of potential matches.
- Scope: Apache web servers configured with mod_negotiation and Multiviews enabled are affected.
3. Detection and Assessment
You can confirm the vulnerability by checking your Apache configuration and attempting to trigger the disclosure.
- Quick checks: Check if `mod_negotiation` is loaded using
apachectl -Mor check the Apache configuration files for `LoadModule negotiation_module`. - Scanning: Nessus plugin ID 34865 can detect this vulnerability. Other scanners may have similar checks.
- Logs and evidence: Examine Apache access logs for requests with missing file extensions that result in directory listings. Look for unusual patterns or attempts to enumerate files.
apachectl -M | grep negotiation_module4. Solution / Remediation Steps
The following steps will help you fix the issue.
4.1 Preparation
4.2 Implementation
- Step 1: Remove or disable Multiviews in your Apache configuration file (e.g., `httpd.conf` or `apache2.conf`). Locate the line containing `Options Indexes FollowSymLinks` and remove `Indexes`.
- Step 2: If files are not required, then they should be removed from the web root and/or the application directory.
- Step 3: Restart the Apache service to apply the changes using
systemctl restart apache2or equivalent command for your system.
4.3 Config or Code Example
Before
Options Indexes FollowSymLinksAfter
Options FollowSymLinks4.4 Security Practices Relevant to This Vulnerability
- Least privilege: Restrict access to sensitive files and directories to only authorized users or processes.
- Secure defaults: Avoid enabling unnecessary features like Multiviews, which can introduce security risks.
5. Verification / Validation
Confirm the fix by checking your Apache configuration and attempting to trigger the disclosure again.
- Post-fix check: Verify that `Indexes` is no longer present in the `Options` directive using
apachectl -Mor by inspecting the configuration files. - Re-test: Attempt to request a file without an extension (e.g., `http://example.com/test`) and confirm that it does not return a directory listing.
apachectl -M | grep indexes6. Preventive Measures and Monitoring
- Baselines: Update your security baseline or policy to include a requirement for disabling Multiviews in Apache configurations.
- Pipelines: Implement static analysis tools (SAST) to identify insecure configurations like enabled Multiviews during the development process.
7. Risks, Side Effects, and Roll Back
- Roll back: Restore the backed-up Apache configuration files and restart the service to revert to the previous state.
8. References and Resources
- Vendor advisory or bulletin: http://www.wisec.it/sectou.php?id=4698ebdc59d15
- NVD or CVE entry: Not applicable, this is a configuration issue rather than a specific vulnerability with a CVE.
- Product or platform documentation relevant to the fix: https://httpd.apache.org/docs/2.4/mod/mod_negotiation.html