what module does this?

This is driving me nuts. In my default compile of Apache with PHP, I often do "--enable-module=most". One of the features that gets enabled is a very nice feature which automatically redirects a request to the nearest match, if there is no file extension. For example:

If I request

http://myserver/test
And I happen to have a file named "test.php" in that directory, then that is the file that loads, even though the original request URL remains in the address bar. I can even do:

http://myserver/test?var1=value1&var2=value2

And "test.php" receives the query string vars.


Now, I think this is a useful feature sometimes, but the problem is, I don't know where to control it. Some of my servers don't have this feature, and I would like to find out how to enable it. Also, I might want to turn off this feature for performance tuning.

I know this is not using mod_rewrite, so I am trying to figure out which other module does this.

Here are two server examples; the first one has this feature, and the second one doesn't:

--------------- has auto redirect feature ---------------

Apache Version: 1.3.17
PHP Version: 4.0.4pl1

Loaded Modules: mod_php4, mod_setenvif, mod_auth, mod_access, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core


---------------- does not have auto redirect ---------------

Apache Version: 1.3.12
PHP Version: 4.0.1

Loaded Modules: mod_php4, mod_setenvif, mod_auth, mod_access, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_config, mod_env, http_core

--------------------------------

Can anyone give me a clue where to look? What httpd.conf directive would deal with this?

>> Some of my servers don't have this feature

Are they identical? Check and see if another directive is overriding one and others.

Check this -> http://httpd.apache.org/docs/sections.html

AHA!! MultiViews.

It *was* available on all servers, just not in the /~userdir.

When I try this method in the main DocumentRoot (/usr/local/apache/htdocs), it works on all my servers, and it correspondingly did NOT work anywhere in a /~userdir, because I had left those with the default untouched configuration.

All I had to do was add a <Directory> section for "/home/*/public_html" and give it "Options MultiViews".

For those who want to see, my complete section (based on the example found in httpd.conf) for users is now:


freebsd - any potential security hazards in this? And thanks for the tip.

Yes, three bugs were found in version prior to 1.3.22. MultiViews was one of those.

http://www.securityfocus.com/bid/3009

I remember now... I tested that exploit several times, and couldn't get it to work. Am I missing something? Wasn't http://my_site/?M=A or http://my_site/?S=D supposed to reveal my directory contents? I couldn't get this to happen even on my older Apache installs.

>> Am I missing something?

Yes.

>> Wasn't http://my_site/?M=A or http://my_site/?S=D supposed to reveal my directory contents?

Not just M=A and S=D but also N=D, S=A and D=A.

>> I couldn't get this to happen even on my older Apache installs

Because you need to use %3F instead of ?.

Example:

http://my_site/%3FS=D

ATTENTION EVERYONE!

This example is for educational purpose. Don't abuse it!

I believe 80% of web servers running Apache out there are still vulnerable to this critical exploit.

I still couldn't get the exploit to work on any of my servers. I noticed at SecurityFocus that FreeBSD is only mentioned in a couple combinations with Apache 1.3.19. I run only FreeBSD, but none of my machines has exactly kernel 4.2 with 1.3.19. I don't know if that list is a restrictive list, or merely a list of confirmed combinations that have been exploited.

Just to confirm, I should just be able to put that query string on my URL, and then I will get a directory listing, as if the index file is not there, and directory viewing is turned on, right?

I notice that the SecurityFocus explanation says 'likely the result of an error in "multiview" functionality'. Maybe there is another feature involved, because I have multiviews turned on, and this didn't happen.

Is it possible this is more of a Linux thing than a BSD one?

>> I still couldn't get the exploit to work on any of my servers

Make sure MultiViews is enabled. You can test by mkdir a directory, say under http://yourserver/foo/ and create http://yourserver/foo/index.html. Then create http://yourserver/foo/.htaccess with the content Options +MultiViews.
Go to http://yourserver/foo/, then test the exploit by going to http://yourserver/foo/%3FS=D.

>> I noticed at SecurityFocus that FreeBSD is only mentioned in a couple combinations with Apache 1.3.19

I believe this exploit happens on all platform (even OpenBSD) with version prior to 1.3.22. I have tested dozen sites (which I am not going to show here) that are still vulnerable.

>> I should just be able to put that query string on my URL

Not sure, I have never had a need to enable MultiViews so I can't confirm. Maybe you can test it.

>> Maybe there is another feature involved

MultiViews in Apache has a bad record in vulnerability and it's not the first time.

>> Is it possible this is more of a Linux thing than a BSD one?

No different.

BTW, if you wish to use MultiViews with query string, you MUST NOT upgrade to 1.3.22. MultiViews is BROKEN in 1.3.22 when using it with query string. You would get an empty string. Yes, they fixed the bug in 1.3.22 but eventually broke that feature.