httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Danny Mallory <dmal...@gmail.com>
Subject [users@httpd] phishing / spoofing question with 404
Date Fri, 23 Jun 2017 17:58:21 GMT
My apologies for posting this question if it has already been hashed out
before.  I figured I should post this question here then just an arbitrary
bug report.

My question relates to a recent penetration test that reported a content
spoofing finding against that the root cause was simply the Apache default
404 response code.  This appears to just be the generic nature of the 404
message that it returns the response of what the user input was and while
there is quite a bit from OWASP on the content spoofing topic I wasnt sure
if this is truly a bug or up for interpretation.  Should this be something
configurable in Apache without having to create a custom 404 errordocument,
etc? Should it not reflect the user input by default unless configured to
do so?

Example: (response code is a 404 but looks like a 302 to the user and could
result in phishing)
192.168.2.1/example.com has moved. Please go to http://www.attacker.com/.

An unlimited number of these things could be tried using the default nature
of the 404 page so curious what others opinions are.

Thx in advance,

Danny

Mime
View raw message