bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

Apache mod_negotiaition filename bruteforcing possible



Cloud Services
Server: Other
5 years ago
5 years ago


(Reporter: curtisk, Unassigned)



Firefox Tracking Flags

(Not tracked)


[reported to sec@ by adityabalapure@live.com]

Apache mod_negotiaition filename bruteforcing possible
Vulnerability description
mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behaviour can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on

The impact of this vulnerability
Possible information disclosure: directory listing, filename bruteforcing, backup files.

How to fix this vulnerability
Disable the MultiViews directive from Apache's configuration file and restart Apache.
You can disable MultiViews by creating a .htaccess file containing the following line:

Options -Multiviews
Which site is this in reference to?

I don't see this as a security concern at all, considering our sites all have their source in public version control anyway.
Group: mozilla-services-security
While I understand the concerns here, it's fundamentally disagreement with a web protocol, and one that - as a provider of webservices - we want to encourage. As Reed observes, we're already very public about what we do and what we support, so I don't think this can be considered a problem.

If there's a specific example of something leaking a piece of information that might be exploitable beyond what already exists in our public repos and generally on the internet, I'd like to hear it, though I think we'd probably look to patch the exploit that the information leaks. Thanks!
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.