https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
Bug ID: 62524 Summary: Multiviews - Information Disclosure Product: Apache httpd-2 Version: 2.2.29 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: mod_negotiation Assignee: bugs@httpd.apache.org Reporter: richard.hawkesf...@outlook.com Target Milestone: --- The following is tested on: Apache/2.4.29 (Ubuntu) Apache/2.4.25 (Debian) Apache/2.4.18 (Ubuntu) Fresh install's with multiviews enabled like this: <Directory /var/www/html> Options Multiviews </Directory> Create a file "/var/www/html/dir/test.png" Try to access the following URL http://192.168.1.32/dir/test/fake.png You get the following 404 error: Not Found The requested URL /dir/test.png/fake.png was not found on this server. Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80 This also works if you use a different extension like this: Try to access the following URL http://192.168.1.32/dir/test/fake.html You get the following 404 error: Not Found The requested URL /dir/test.png/fake.html was not found on this server. Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80 Is this working as intended? or is this a bug/information disclosure? Richard -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org