Page MenuHomePhabricator

Microsites respond with pseudo directory listing if sent an invalid Accept header
Closed, DeclinedPublicSecurity

Description

Reported to security@

Affected sites:
https://bienvenida.wikimedia.org/index
https://design.wikimedia.org/index
https://research.wikimedia.org/index

$ curl -i -H "Accept: foo" https://bienvenida.wikimedia.org/index
HTTP/2 406 
date: Wed, 20 Apr 2022 12:25:29 GMT
server: Apache
alternates: {"index.html" 1 {type text/html} {length 4604}}
vary: negotiate
tcn: list
content-length: 416
content-type: text/html; charset=iso-8859-1
age: 0
x-cache: cp3054 miss, cp3062 pass
x-cache-status: pass
server-timing: cache;desc="pass", host;desc="cp3062"
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 86400, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
nel: { "report_to": "wm_nel", "max_age": 86400, "failure_fraction": 0.05, "success_fraction": 0.0}
set-cookie: WMF-Last-Access=20-Apr-2022;Path=/;HttpOnly;secure;Expires=Sun, 22 May 2022 12:00:00 GMT
accept-ch: Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version
permissions-policy: interest-cohort=(),ch-ua-arch=(self "intake-analytics.wikimedia.org"),ch-ua-bitness=(self "intake-analytics.wikimedia.org"),ch-ua-full-version-list=(self "intake-analytics.wikimedia.org"),ch-ua-model=(self "intake-analytics.wikimedia.org"),ch-ua-platform-version=(self "intake-analytics.wikimedia.org")
x-client-ip: XX.XX.XX.XX

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource could not be found on this server.</p>
Available variants:
<ul>
<li><a href="index.html">index.html</a> , type text/html</li>
</ul>
<hr>
<address>Apache Server at bienvenida.wikimedia.org Port 80</address>
</body></html>

https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/

Remediation

Disable the MultiViews directive from Apache's configuration file and restart Apache.
You can disable MultiViews by creating a .htaccess file containing the following line:

Options -Multiviews

Details

Risk Rating
Informational
Author Affiliation
Other (Please specify in description)

Event Timeline

Reedy triaged this task as Lowest priority.Apr 20 2022, 12:27 PM
Reedy updated the task description. (Show Details)
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett moved this task from In Progress to Frozen on the Security-Team board.
sbassett subscribed.

I'm going to decline this for now. The only demonstrated "attack" here is inducing the server to return suggestions for index.html when index is requested. index(.html) is one of dozens of common web-related file-naming conventions and is one of the first patterns any dynamic scanning tool or attacker is likely to spider while gathering information about a target. Not to mention that it is, at best, extremely innocuous information.

sbassett changed Author Affiliation from N/A to Other (Please specify in description).Sep 12 2022, 6:44 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Informational.