Default httpd error pages allow for content spoofing

Solution Verified - Updated -

Issue

  • Default httpd error pages allow for a kind of content spoofing. For instance, request a non existent page with a message encoded into the url (like http:///absent/content/%0D%0Ahas%20moved%20to%20www.example.net.%20Please%20visit%20example.net.%20The%20requested%20resource), and you get output like below linking the client to an external site:
Not Found
  The requested URL /absent/content/ has moved to www.example.net. 
  Please visit example.net. The requested resource was not found on this server.

Environment

  • Red Hat Enterprise Linux (RHEL)
  • JBoss Enterprise Web Server (JWS)
  • JBoss Core Services (JBCS)
  • Apache httpd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.