Default httpd error pages allow for content spoofing
Issue
- Default httpd error pages allow for a kind of content spoofing. For instance, request a non existent page with a message encoded into the url (like http://
/absent/content/%0D%0Ahas%20moved%20to%20www.example.net.%20Please%20visit%20example.net.%20The%20requested%20resource), and you get output like below linking the client to an external site:
Not Found
The requested URL /absent/content/ has moved to www.example.net.
Please visit example.net. The requested resource was not found on this server.
- The Content Spoofing or Text Injection vulnerability, For example, an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.
Environment
- Red Hat Enterprise Linux (RHEL)
- JBoss Enterprise Web Server (JWS)
- JBoss Core Services (JBCS)
- Apache httpd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.