The MultiViews directive must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-13734 | WA000-WWA056 A22 | SV-32754r1_rule | - | medium |
| Description | ||||
| Directory options directives are directives that can be applied to further restrict access to file and directories. MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files. The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements. | ||||
| STIG | Date | |||
| APACHE 2.2 Server for UNIX Security Technical Implementation Guide | 2019-01-07 | |||
Details
Check Text (C-32754r1_chk)
To view the MultiViews value enter the following command:
grep "MultiView" /usr/local/apache2/conf/httpd.conf.
Review all uncommented Options statements for the following value: -MultiViews
If the value is found on the Options statement, and it does not have a preceding ‘-‘, this is a finding.
Notes:
- If the value does NOT exist, this is a finding.
- If all enabled Options statement are set to None this is not a finding.
Fix Text (F-29247r1_fix)
Edit the httpd.conf file and add the "-" to the MultiViews setting, or set the options directive to None.