You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/06/29 21:01:54 UTC

[Bug 59772] New: "Content Spoofing" via Apache default 404 responses

https://bz.apache.org/bugzilla/show_bug.cgi?id=59772

            Bug ID: 59772
           Summary: "Content Spoofing" via Apache default 404 responses
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: john@nixnuts.net

Hi there,

I've seen lots of reports of "Content Spoofing" or "Parameter Tampering"
vulnerabilities in websites that essentially come down to the website sending
the default Apache 404 responses that include the path of the missing URI in
the response body.

Examples:

https://hackerone.com/reports/106350

https://bugzilla.mozilla.org/show_bug.cgi?id=850546


Since this is an Apache default it would help to know whether or not the Apache
team considers the behavior to be a vulnerability.

Your bugzilla instance has the same behavior.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59772] "Content Spoofing" via Apache default 404 responses

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59772

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Eric Covener <co...@gmail.com> ---
The httpd project doesn't consider the request URL in the default error
documents as a vulnerability. No default change is planned.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org