The MultiViews directive is used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13734	WA000-WWA056	SV-14344r1_rule		Medium

Description
Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. From Apache.org: MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files. Note that Options All does not set MultiViews; you have to ask for it by name. The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements. MultiViews may also apply to searches for the file named by the DirectoryIndex directive, if the server is trying to index a directory. If the configuration files specify DirectoryIndex index then the server will arbitrate between index.html and index.html3 if both are present. If neither are present, and index.cgi is there, the server will run it. If one of the files found when reading the directory does not have an extension recognized by mod_mime to designate its Charset, Content-Type, Language, or Encoding, then the result depends on the setting of the MultiViewsMatch directive. This directive determines whether handlers, filters, and other extension types can participate in MultiViews negotiation.

Description

Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. From Apache.org: MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files. Note that Options All does not set MultiViews; you have to ask for it by name. The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements. MultiViews may also apply to searches for the file named by the DirectoryIndex directive, if the server is trying to index a directory. If the configuration files specify DirectoryIndex index then the server will arbitrate between index.html and index.html3 if both are present. If neither are present, and index.cgi is there, the server will run it. If one of the files found when reading the directory does not have an extension recognized by mod_mime to designate its Charset, Content-Type, Language, or Encoding, then the result depends on the setting of the MultiViewsMatch directive. This directive determines whether handlers, filters, and other extension types can participate in MultiViews negotiation.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-10987r1_chk )
Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: Then review the Options statement for the following value: MultiViews If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the MultiViews value. If this enabled on any of these, this would be a finding.

Check Text ( C-10987r1_chk )

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file.

Open the httpd.conf file with an editor and search for the following directive:

Then review the Options statement for the following value:

MultiViews

If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding.

If the value does not exist, this would be a finding unless the Options statement has the "None" option.

Please be sure to check for all occurrences of the Directory directive for the presence of the MultiViews value. If this enabled on any of these, this would be a finding.

Fix Text (F-13182r1_fix)
Edit the httpd.conf file and add the "-" to the MultiViews setting, or set the options directive to None.