File Enumeration via Pseudo Directory Listing
mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents.
If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing.
This behaviour can help an attacker to learn more about the target, such as generate a list of base names, generate a list of interesting extensions or look for backup files etc
Exploit
Add something invalid to the Accept header
GET /index HTTP/1.1
Host: www.example.com
Accept: test
In this instance, a brute force attempt was made towards the index endpoint.
This is because it's likely that an application has the file called index.html.
| Request | Response Code |
|---|---|
| Existing file | 406 Not Acceptable |
| Non-existing file | 404 Not Found |
Remediation
Disable the MultiViews directive from Apache's configuration file.
You can disable MultiViews by creating a .htaccess file containing the following line:
Options -Multiviews