Apache MultiViews option is dangerous

Posted on by

I was poking through my web logs and saw requests to pages that didn’t exist on my server and the server returned something (200 return code), so I started looking at them. I was able to hit the pages with a browser and after much searching, I figured out how pages that obviously didn’t exist could return a valid page that was slightly messed up (image references were hosed). Turns out my sites had

Options MultiViews

in the Apache configuration files. MultiViews, as I have come to find out, guesses what page to load if the page doesn’t exist. Well, its guesses are whacked. So, disabling this feature fixed the problem and now pages that don’t exist get redirected to the home page.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the answer to the math equation shown in the picture. Click on the picture to hear an audio file of the equation.
Click to hear an audio file of the anti-spam equation