mod negotiation, MultiViews and type maps

Forum Moderators: phranque

Message Too Old, No Replies

mod negotiation, MultiViews and type maps

A security risk?

coopster

2:56 am on Jul 21, 2006 (gmt 0)

A recent thread [webmasterworld.com] by member Liane brought up a short discussion on Apache's mod_negotiation [httpd.apache.org] and the use of MultiViews.

The module is a base module which means it is compiled and loaded into the server by default, and is therefore normally available unless you have taken steps to remove the module from your configuration. Some shared hosting providers claim it a security risk and have done exactly that, removed this base module from the Apache implementation. Others, as in her case, not only leave it intact but allow the MultiViews option available server-wide by setting it in the configuration.

Do you believe the module is a security risk?
If so, what is the basis for this foundation?
If not, why do you think some shared hosting providers remove this base module?

encyclo

2:05 am on Jul 23, 2006 (gmt 0)

I don't think MultiViews is particularly problematic in terms of being a security risk. There was one vulnerability [cve.mitre.org] which allowed older versions of Apache to display a directory index rather than the default index page. However, documents held within the document root are only protected by obscurity, and anything important is going to be kept below document root on any well-configured site.

Maybe shared hosting providers remove it as it is all but unused except on very rare occasions by experienced web developers, and so not worth loading in a default shared environment. Perhaps the above vulnerability was enough not to take the risk.

mod_negotation and MultiViews are powerful tools when used correctly, but they do come with a penalty - they open the door to widespread duplicate content on the site as the same resource resolves under many different URIs. Therefore it is usually best to disable it unless required.

Personally, I've never come across a shared host which allowed MultiViews...

coopster

1:44 pm on Jul 24, 2006 (gmt 0)

I tend to agree with your thoughts here.

First, I do not believe it is a security risk either. The CVE cited is old, very old, and should have been patched long ago on any host http server running 1.3.x. I think that hosts claiming it is a security matter are using that as a "that's just the way this server is going to stay" default answer to those that question if the server could be recompiled with that option made available.

Second, it involves work and recompiling on their end. Wouldn't that just be awful, to have to recompile the software (sarcasm intended).

Third, mod_negotiation can have some impact on performance, but no more so than mod_rewrite and that module is almost exclusively compiled by default on shared hosts! I think this goes back to popular demand because of how web developers have written applications.

I believe that shared hosts are turning it off not because it is a security risk but moreso because of the (possible) impact to their servers and support structure based on the option being available. Even that is questionable though, as I stated before.

In regards to the duplicate content, I am going to spin that off in a different thread -- MultiViews and duplicate content [webmasterworld.com]