Reported to security@
Affected sites:
https://bienvenida.wikimedia.org/index
https://design.wikimedia.org/index
https://research.wikimedia.org/index
$ curl -i -H "Accept: foo" https://bienvenida.wikimedia.org/index HTTP/2 406 date: Wed, 20 Apr 2022 12:25:29 GMT server: Apache alternates: {"index.html" 1 {type text/html} {length 4604}} vary: negotiate tcn: list content-length: 416 content-type: text/html; charset=iso-8859-1 age: 0 x-cache: cp3054 miss, cp3062 pass x-cache-status: pass server-timing: cache;desc="pass", host;desc="cp3062" strict-transport-security: max-age=106384710; includeSubDomains; preload report-to: { "group": "wm_nel", "max_age": 86400, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] } nel: { "report_to": "wm_nel", "max_age": 86400, "failure_fraction": 0.05, "success_fraction": 0.0} set-cookie: WMF-Last-Access=20-Apr-2022;Path=/;HttpOnly;secure;Expires=Sun, 22 May 2022 12:00:00 GMT accept-ch: Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version permissions-policy: interest-cohort=(),ch-ua-arch=(self "intake-analytics.wikimedia.org"),ch-ua-bitness=(self "intake-analytics.wikimedia.org"),ch-ua-full-version-list=(self "intake-analytics.wikimedia.org"),ch-ua-model=(self "intake-analytics.wikimedia.org"),ch-ua-platform-version=(self "intake-analytics.wikimedia.org") x-client-ip: XX.XX.XX.XX <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>406 Not Acceptable</title> </head><body> <h1>Not Acceptable</h1> <p>An appropriate representation of the requested resource could not be found on this server.</p> Available variants: <ul> <li><a href="index.html">index.html</a> , type text/html</li> </ul> <hr> <address>Apache Server at bienvenida.wikimedia.org Port 80</address> </body></html>
https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/
Remediation
Disable the MultiViews directive from Apache's configuration file and restart Apache.
You can disable MultiViews by creating a .htaccess file containing the following line:Options -Multiviews