https://bz.apache.org/bugzilla/show_bug.cgi?id=62524
Bug ID: 62524
Summary: Multiviews - Information Disclosure
Product: Apache httpd-2
Version: 2.2.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_negotiation
Assignee: bugs@httpd.apache.org
Reporter: richard.hawkesf...@outlook.com
Target Milestone: ---
The following is tested on:
Apache/2.4.29 (Ubuntu)
Apache/2.4.25 (Debian)
Apache/2.4.18 (Ubuntu)
Fresh install's with multiviews enabled like this:
<Directory /var/www/html>
Options Multiviews
</Directory>
Create a file "/var/www/html/dir/test.png"
Try to access the following URL http://192.168.1.32/dir/test/fake.png
You get the following 404 error:
Not Found
The requested URL /dir/test.png/fake.png was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80
This also works if you use a different extension like this:
Try to access the following URL http://192.168.1.32/dir/test/fake.html
You get the following 404 error:
Not Found
The requested URL /dir/test.png/fake.html was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.1.32 Port 80
Is this working as intended? or is this a bug/information disclosure?
Richard
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
