[Bug 62524] Multiviews - Information Disclosure
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524 William A. Rowe Jr. changed: What|Removed |Added Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #5 from William A. Rowe Jr. --- This behavior looks entirely correct. If you do not want files of another extension to be shown, turn off multiviews. Httpd will always convey these names to the client, to help the cache disambiguate between different representations. It is certainly confusing, but that isn't due to multiviews. You have tripped over AcceptPathInfo, a different feature which exposes paths beneath any type of resource. http://svn.apache.org/viewvc/ is but one example; those svn files are all served by the viewvc script. If you believe there is still an issue after disabling these features, you can reach out to secur...@httpd.apache.org, but I see no reason not to discuss the confusion here. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524 Eric Covener changed: What|Removed |Added Version|2.2.29 |2.4.29 --- Comment #4 from Eric Covener --- Please report security issues directly and individually to secur...@apache.org in the future. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524 --- Comment #3 from Richard Hawkesford --- The above totally bypassing the custom 404 setups. And confirming that the file exists. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524 --- Comment #2 from Richard Hawkesford --- And on the live server (HTTPS): Forbidden You don't have permission to access /.htaccess/testing on this server. Apache Server at www.xxx.com Port 80 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62524] Multiviews - Information Disclosure
https://bz.apache.org/bugzilla/show_bug.cgi?id=62524 --- Comment #1 from Richard Hawkesford --- Side note: requests to https://192.168.1.30/dir/test/fake.html Bypass the .htaccess "ErrorDocument 404" and have the wrong port number? Not Found The requested URL /dir/test/fake.html was not found on this server. Apache Server at 192.168.1.30 Port 80 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org