If your web site is subject to the PCIA regulations (ie an e-commerce site that takes credit cards) then this has been a requirement for the last several years. The easiest way is just a customer error document that gives the standard message without the failed URL reference. Since the usual message is much more useful, and the solution is trivial, I don't think Apache should "fix" it. John ============================ On Friday 23 June 2017 13:58:21 Danny Mallory wrote: > My apologies for posting this question if it has already been hashed out > before. I figured I should post this question here then just an > arbitrary bug report. > > My question relates to a recent penetration test that reported a content > spoofing finding against that the root cause was simply the Apache > default 404 response code. This appears to just be the generic nature > of the 404 message that it returns the response of what the user input > was and while there is quite a bit from OWASP on the content spoofing > topic I wasnt sure if this is truly a bug or up for interpretation. > Should this be something configurable in Apache without having to > create a custom 404 errordocument, etc? Should it not reflect the user > input by default unless configured to do so? > > Example: (response code is a 404 but looks like a 302 to the user and > could result in phishing) > 192.168.2.1/example.com has moved. Please go to > http://www.attacker.com/. > > An unlimited number of these things could be tried using the default > nature of the 404 page so curious what others opinions are. > > Thx in advance, > > Danny --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx