You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/06/29 21:01:54 UTC
[Bug 59772] New: "Content Spoofing" via Apache default 404 responses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59772
Bug ID: 59772
Summary: "Content Spoofing" via Apache default 404 responses
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: john@nixnuts.net
Hi there,
I've seen lots of reports of "Content Spoofing" or "Parameter Tampering"
vulnerabilities in websites that essentially come down to the website sending
the default Apache 404 responses that include the path of the missing URI in
the response body.
Examples:
https://hackerone.com/reports/106350
https://bugzilla.mozilla.org/show_bug.cgi?id=850546
Since this is an Apache default it would help to know whether or not the Apache
team considers the behavior to be a vulnerability.
Your bugzilla instance has the same behavior.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59772] "Content Spoofing" via Apache default 404 responses
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59772
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> ---
The httpd project doesn't consider the request URL in the default error
documents as a vulnerability. No default change is planned.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org