httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Iliffe <john.ili...@iliffe.ca>
Subject Re: [users@httpd] phishing / spoofing question with 404
Date Fri, 23 Jun 2017 19:00:04 GMT
If your web site is subject to the PCIA regulations (ie an e-commerce site 
that takes credit cards) then this has been a requirement for the last 
several years.

The easiest way is just a customer error document that gives the standard 
message without the failed URL reference.  Since the usual message is much 
more useful, and the solution is trivial, I don't think Apache should "fix" 
it.

John
============================
On Friday 23 June 2017 13:58:21 Danny Mallory wrote:
> My apologies for posting this question if it has already been hashed out
> before.  I figured I should post this question here then just an
> arbitrary bug report.
> 
> My question relates to a recent penetration test that reported a content
> spoofing finding against that the root cause was simply the Apache
> default 404 response code.  This appears to just be the generic nature
> of the 404 message that it returns the response of what the user input
> was and while there is quite a bit from OWASP on the content spoofing
> topic I wasnt sure if this is truly a bug or up for interpretation. 
> Should this be something configurable in Apache without having to
> create a custom 404 errordocument, etc? Should it not reflect the user
> input by default unless configured to do so?
> 
> Example: (response code is a 404 but looks like a 302 to the user and
> could result in phishing)
> 192.168.2.1/example.com has moved. Please go to
> http://www.attacker.com/.
> 
> An unlimited number of these things could be tried using the default
> nature of the 404 page so curious what others opinions are.
> 
> Thx in advance,
> 
> Danny

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message