Default httpd error pages allow for content spoofing
Issue
- Default httpd error pages allow for a kind of content spoofing. For instance, request a non existent page with a message encoded into the url (like http://
/absent/content/%0D%0Ahas%20moved%20to%20www.example.net.%20Please%20visit%20example.net.%20The%20requested%20resource), and you get output like below linking the client to an external site:
Not Found
The requested URL /absent/content/ has moved to www.example.net.
Please visit example.net. The requested resource was not found on this server.
Environment
- Red Hat Enterprise Linux (RHEL)
- JBoss Enterprise Web Server (JWS)
- JBoss Core Services (JBCS)
- Apache httpd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
