Cloudflare: Apache mod_negotiation filename bruteforcing

ID H1:25382
Type hackerone
Reporter jpsecurityresearch
Modified 2014-09-19T17:22:27


Vulnerability description mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behaviour can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on.


IMPACT - Possible information disclosure: directory listing, filename bruteforcing, backup files.

FIX - Disable the MultiViews directive from Apache's configuration file and restart Apache. You can disable MultiViews by creating a .htaccess file containing the following line:

Options -Multiviews


Response HTTP/1.1 406 Not Acceptable Date: Wed, 20 Aug 2014 11:50:24 GMT Content-Type: text/html; charset=iso-8859-1 Connection: keep-alive Alternates: {"index.html" 1 {type text/html}} Vary: negotiate,Accept-Encoding Server: cloudflare-nginx CF-RAY: 15ce5f817c840bb1-HKG Content-Length: 1020