Default httpd error pages allow for content spoofing

Solution Verified - Updated -

Issue

  • Default httpd error pages allow for a kind of content spoofing. For instance, request a non existent page with a message encoded into the url (like http:///absent/content/%0D%0Ahas%20moved%20to%20www.example.net.%20Please%20visit%20example.net.%20The%20requested%20resource), and you get output like below linking the client to an external site:
Not Found
  The requested URL /absent/content/ has moved to www.example.net. 
  Please visit example.net. The requested resource was not found on this server.
  • The Content Spoofing or Text Injection vulnerability, For example, an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

Environment

  • Red Hat Enterprise Linux (RHEL)
  • JBoss Enterprise Web Server (JWS)
  • JBoss Core Services (JBCS)
  • Apache httpd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content