Apache mod_negotiation filename bruteforcing
Description
The Apache mod_negotiation module automatically selects the most appropriate document variant based on client capabilities (language, encoding, etc.). When a client sends a malformed or unsupported Accept header to a server with the MultiViews option enabled, Apache responds with a 406 Not Acceptable error that inadvertently includes a list of available file variants in the directory. This behavior exposes internal file structure information that should not be publicly accessible, allowing attackers to enumerate filenames, extensions, and potentially discover sensitive files without proper authorization.
Remediation
Disable the MultiViews option in Apache's mod_negotiation module to prevent automatic content negotiation from exposing file information. This can be accomplished through multiple methods:
Method 1: Using .htaccess file (per-directory)
Create or modify the .htaccess file in the affected directory with the following directive:
Options -MultiViews
Method 2: Apache configuration file (server-wide)
Edit your Apache configuration file (httpd.conf or apache2.conf) and modify the Options directive within the appropriate Directory block:
<Directory /var/www/html>
Options -MultiViews -Indexes
AllowOverride None
Require all granted
</Directory>Method 3: Virtual host configuration (per-site)
Add the Options directive to your virtual host configuration:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
Options -MultiViews
</VirtualHost>After making changes, verify the configuration syntax with
apachectl configtest or apache2ctl configtest, then restart Apache using systemctl restart apache2 or service httpd restart depending on your system.