783125 - Apache mod_negotiation filename bruteforcing on www.mozilla.org

Status: RESOLVED WONTFIX

(www.mozilla.org :: General, defect)

Description

[shashank]

Attachment: screen shot of the proof that file name bruteforcing can be done

Apache mod_negotiation filename bruteforcing

Vulnerability description
mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behaviour can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on.
This vulnerability affects Web Server

The impact of this vulnerability
Possible information disclosure: directory listing, filename bruteforcing, backup files.
How to fix this vulnerability
Disable the MultiViews directive from Apache's configuration file and restart Apache.
You can disable MultiViews by creating a .htaccess file containing the following line:

Options -Multiviews

i have provided the screen shot of the proof

Comment 2

[Anthony Ricaud (:rik)]

I think we rely on MultiViews.

Is it really a problem for us, given that our codebase is public?

Comment 3

[shashank]

yes it indeed a big problem for u all... think if some one reaches till your config files.. even a for this vulnerablity many exploits are open on intenet ... one of the exploits is in metasploit . check here 
http://www.metasploit.com/modules/auxiliary/scanner/http/mod_negotiation_brute/

Comment 4

[David Chan [:dchan]]

I was able to reproduce using curl

curl -vLH "Accept:  fake/fake" "http://www.mozilla.org/index"

The above outputs the same error as the screenshot. You must specify a file which exists on the server otherwise you get the normal 404 page

I'm not sure if there is anything interesting to bruteforce though since the code is public as Anthony mentions. You wouldn't be able to access any file you couldn't normally access.

Comment 5

[shashank]

yeah u are right that anyone could not access the file just can brute force the directories... but it can be used a  payload with other vulnerabilities like lfi and rfi... it will help the attacker to find out the structure of the site... so if it this vul is not treated it may result fatal later on ... it always better to close all the small holes in website

Comment 6

[shashank]

what happened i haven't still received any further replies(In reply to David Chan [:dchan] from comment #4)
> I was able to reproduce using curl
> 
> curl -vLH "Accept:  fake/fake" "http://www.mozilla.org/index"
> 
> The above outputs the same error as the screenshot. You must specify a file
> which exists on the server otherwise you get the normal 404 page
> 
> I'm not sure if there is anything interesting to bruteforce though since the
> code is public as Anthony mentions. You wouldn't be able to access any file
> you couldn't normally access.

Comment 7

[shashank]

no repliess ???? are just ignoring uss????

Comment 8

[David Chan [:dchan]]

(In reply to shashank from comment #7)
> no repliess ???? are just ignoring uss????

Hey shashank

I'm not sure what happened with this bug. From looking at the history, the bug was marked as non-qualified for the bounty program due to the minimal risk. We normally reply through the original submission email or on the bug when a committee decision has been reached. We're sorry that we didn't communicate back to you in a timely manner.

Comment 9

[Reed Loden [:reed]]

I see no reason for us to turn MultiViews off... Nothing on www.mozilla.org is secret or private. It's all open source in public repositories.