Detections
Analytics
Apache mod_negotiation Alternative Filename Disclosure
medium Web App Scanning Plugin ID 113165
Language:
Synopsis
Apache mod_negotiation Alternative Filename DisclosureDescription
Apache web server configured with mod_negotiation and Multiviews enabled may, on receipt of a crafted invalid request with a extension-less filename return a pseudo directory listing of matching resources with known mime types. This feature may be abused by attackers to discover hidden resources on a server without resort to brute-force methods. The scanner has detected files on the server using this technique.Solution
If files are not required, then they should be removed from the web root and/or the application directory or restricted by additional access controls. The removal of Multiviews in the Apache config could be used to avoid disclosing the presence of these files using this method but should not be considered a complete solution as it may only hinder an attacker discovering them.See Also
http://www.wisec.it/sectou.php?id=4698ebdc59d15
https://httpd.apache.org/docs/2.4/mod/mod_negotiation.html
https://www.ush.it/2008/07/02/mod_negotiation-directory-listing-filename-bruteforcing/
Plugin Details
Severity: Medium
ID: 113165
Type: remote
Family: Web Servers
Published: 3/8/2022
Updated: 3/8/2022
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 548
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1
WASC: Directory Indexing
DISA STIG: APSC-DV-002480
HIPAA: 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-4.3.2
PCI-DSS: 3.2-6.5.8