This method works with both mod_negotiation and MultiViews. But they are different features of Apache.

as far as I know it’s part of mod_negotiation

MultiViews is a built-in feature of Apache. It works without mod_negotiation or any other module (it’s core feature) - it works on my Apache 1.3.23 and I haven’t mod_negotiation module. So attacks on MultiViews feature can work on any site on Apache with or without mod_negotiation (just MultiViews needs to be turned on).

I got to know about this module recently, when was publishing my article, when I was looking about information if Apache 2 support MultiViews. Yes it does support it (and I also found that there is such mod_negotiation module for Apache 1.3.x and 2.x).

I just looked at Apache Module mod_negotiation documentation and as I saw - this module support the same feature as MultiViews and much more (it’s more advanced variant of it). If there is such module on server it overrides MultiViews functionality to itself (and adds new functionality) and if there is no such module, then built-in MultiViews works.

I wrote a small script for this a while ago

You used module mod_negotiation as attack vector, and I used MultiViews option as attack vector. It’s different attack vectors with similar idea. I never used mod_negotiation, so I’d read more about it and about your method of attack.

Automation of brute-forcing filenames at the servers it’s good thing , so everyone who interested can take a look at your script.

it is a nice method for additional information if it’s enabled.

Indeed.

DiabloHorn

Thanks for information.

From conversation with other reader of my site in comments I know that it is documented and known for a long time feature of Apache (MultiViews). But I looked at it from other side - I used this future for hacking purposes (for fingerprinting and information leakage). I.e. it’s Abuse of Functionality attack on Apache.

I created this method in September 2006 when found this Apache’s behaviour (concerned with MultiViews). Only now I found time to write the article about it. But I used this method in my practice - particularly in 2007 I used it during security audit to find hidden information at the site of my client.

It can be turned off though and a lot of web servers don’t seem to use it.

Yes, you are right. Mostly it’s turned off nowadays at web sites in Internet, but earlier I found more web sites with it’s turned on. Even with not large prevalence, this method is interesting and can be used for fingerprinting and information leakage attacks.

interesting I wrote a small script for this a while ago:

http://diablohorn.wordpress.com/2009/07/16/bit-more-efficient-brute-forcing/

The feature is indeed been known for some time now, it’s extremely nice if you want to have more results then your normal word list supports.

It can be turned off though and a lot of web servers don’t seem to use it.

DiabloHorn