Return-Path: 
 <users-return-72607-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 69470 invoked from network); 23 May 2007 00:28:57 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 23 May 2007 00:28:57 -0000
Received: (qmail 79616 invoked by uid 500); 23 May 2007 00:28:52 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 79608 invoked by uid 500); 23 May 2007 00:28:52 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 79597 invoked by uid 99); 23 May 2007 00:28:52 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 May 2007 17:28:52 -0700
X-ASF-Spam-Status: No, hits=0.3 required=10.0
	tests=MAILTO_TO_SPAM_ADDR,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (herse.apache.org: domain of jslive@gmail.com designates
 64.233.184.236 as permitted sender)
Received: from [64.233.184.236] (HELO wr-out-0506.google.com) (64.233.184.236)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 May 2007 17:28:44 -0700
Received: by wr-out-0506.google.com with SMTP id q50so24628wrq
        for <users@httpd.apache.org>; Tue, 22 May 2007 17:28:22 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
        b=WkEB3jXrAug0l1b9/9nQd/hS4kbJO9Me/zICehND36y/KetziOKoXFHef5xMS2Wwbg5UaqKs9Vomkz16Ij94O0soCdTIUM9LrofTVi1y77hx+Qk3CsizH5UDeV8w6+0sUpFzV+L2T1qU+FN3P0W8ana4gnelmyn7MG/KRDoheTU=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
        b=gYHV830EyGgWI1FMXhX7yWBKpOB/fzOoJeUNMG8iOFthQ3etFvAgtKxfOZnMTrBc3GIVMmzMJ0zoW6kfVJS/kky3j2xEWjUpA8NAmdb9uKFYQfMCKWpXetrpJ2NRKJ/ARdb1aNft2E/pxRDskp1yVKU2FDvldYGC6eFHvSqevhE=
Received: by 10.115.108.1 with SMTP id k1mr3511574wam.1179880101732;
        Tue, 22 May 2007 17:28:21 -0700 (PDT)
Received: by 10.114.53.5 with HTTP; Tue, 22 May 2007 17:28:21 -0700 (PDT)
Message-ID: <e498c1660705221728g2e8a4a5agd133b51b1b127586@mail.gmail.com>
Date: Tue, 22 May 2007 20:28:21 -0400
From: "Joshua Slive" <joshua@slive.ca>
Sender: jslive@gmail.com
To: users@httpd.apache.org
In-Reply-To: <465358AB.6060703@yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <465358AB.6060703@yahoo.com>
X-Google-Sender-Auth: cdb3c35546456856
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] changing the error status code for forbidden
 resources

On 5/22/07, Bhagwati Gupta <bpg10000@yahoo.com> wrote:
> Hi,
>     I am running Apache 2.2.3 on my Debian 3.1 sarge machine. My local
> web security team has examined the system and generated a detailed
> security report. One of the issues that I am having difficulty to fix
> relates to hidden directories. I have been advised to change the server
> configuration such that '404 - not found' response is issued for
> forbidden resources as opposed to '403 - forbidden' response. I have
> tried looking on the web but have yet to find anything that could solve
> my problem. I am not sure exactly how server responses for hidden
> directories (or missing files) can be customized. Could you please help?
> Thanks!

Sounds like a silly waste of time to me. (Actually, it's more than a
waste of time, it is deliberately crippling of HTTP.)

But anyway, if you want to lie about error codes, you can go all the
way and change the to redirects:

ErrorDocument 404 http://example.com/not_found.html
ErrorDocument 403 http://example.com/not_found.html

If you just want to lie about 403 only, then the only way I know
(other than editing the code)  is to point to a cgi script that emits
its own "Status: 404" header:
ErrorDocument 403 /cgi-bin/lie-about-the-status-code.pl

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org