Re: phishing / spoofing question with 404

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If your web site is subject to the PCIA regulations (ie an e-commerce site 
that takes credit cards) then this has been a requirement for the last 
several years.

The easiest way is just a customer error document that gives the standard 
message without the failed URL reference.  Since the usual message is much 
more useful, and the solution is trivial, I don't think Apache should "fix" 
it.

John
============================
On Friday 23 June 2017 13:58:21 Danny Mallory wrote:
> My apologies for posting this question if it has already been hashed out
> before.  I figured I should post this question here then just an
> arbitrary bug report.
> 
> My question relates to a recent penetration test that reported a content
> spoofing finding against that the root cause was simply the Apache
> default 404 response code.  This appears to just be the generic nature
> of the 404 message that it returns the response of what the user input
> was and while there is quite a bit from OWASP on the content spoofing
> topic I wasnt sure if this is truly a bug or up for interpretation. 
> Should this be something configurable in Apache without having to
> create a custom 404 errordocument, etc? Should it not reflect the user
> input by default unless configured to do so?
> 
> Example: (response code is a 404 but looks like a 302 to the user and
> could result in phishing)
> 192.168.2.1/example.com has moved. Please go to
> http://www.attacker.com/.
> 
> An unlimited number of these things could be tried using the default
> nature of the 404 page so curious what others opinions are.
> 
> Thx in advance,
> 
> Danny

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux