Apache MultiViews option is dangerous

I was poking through my web logs and saw requests to pages that didn’t exist on my server and the server returned something (200 return code), so I started looking at them. I was able to hit the pages with a browser and after much searching, I figured out how pages that obviously didn’t exist could return a valid page that was slightly messed up (image references were hosed). Turns out my sites had

Options MultiViews

in the Apache configuration files. MultiViews, as I have come to find out, guesses what page to load if the page doesn’t exist. Well, its guesses are whacked. So, disabling this feature fixed the problem and now pages that don’t exist get redirected to the home page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.