Bug 1444151 - Apache webserver allows kind of "Content Spoofing" using default error pages
Summary: Apache webserver allows kind of "Content Spoofing" using default error pages
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.3
Hardware: All
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-20 17:30 UTC by Robert Scheck
Modified: 2020-06-11 13:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-19 07:45:14 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Robert Scheck 2017-04-20 17:30:02 UTC 
Description of problem:
Apache webserver allows kind of "Content Spoofing" using default error pages.
Note that I am saying explicitly "kind of" here, because such an example has
been reported multiple times via HackerOne now, nevertheless it is not really
Content Spoofing IMHO; https://bz.apache.org/bugzilla/show_bug.cgi?id=59772
seems to agree with that.

Version-Release number of selected component (if applicable):
httpd-2.4.6-45.el7_3.4.x86_64

How reproducible and Steps to Reproduce:
- Install RHEL 7 (default or minimal installation)
- yum update -y  # apply all updates
- yum install httpd -y  # install httpd
- systemctl start httpd.service  # start httpd
- Visit http://<IP>/wp-content/cache/minify/%0D%0Ahas%20moved%20to%20www.example.net.%20Please%20visit%20example.net.%20The%20requested%20resource
- Result: Not Found
  The requested URL /wp-content/cache/minify/ has moved to www.example.net. 
  Please visit example.net. The requested resource was not found on this server.

Actual results:
Apache webserver allows kind of "Content Spoofing" using default error pages.

Expected results:
No "Content Spoofing" using default error pages at all, even not "kind of".
Comment 2 Robert Scheck 2017-04-20 17:38:38 UTC 
Cross-filed case 01835054 on the Red Hat customer portal.
Comment 6 Joe Orton 2017-05-05 07:47:02 UTC 
Robert, thanks for the report.

I'm reluctant to change the defaults here.

a) Looking through the code, the URL is included in the default (hard-coded) response body for a wide variety of HTTP error responses. 

https://github.com/apache/httpd/blob/trunk/modules/http/http_protocol.c#L949

Depending on the config, it will be more or less trivial for users to get a response which includes the URL for other canned error responses too.  I don't want to patch all of that out and deviate from upstream behaviour unless we have good motivation.

b) It's actually useful to include this content in many of those errors; not doing so is really only playing to security theatre.

c) It's trivial to change the behaviour for 404 if you really do want this, a one liner:

   ErrorDocument 404 "404 Not Found" 

would suffice.
Comment 9 Red Hat Bugzilla Rules Engine 2017-05-19 07:45:14 UTC 
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Note You need to log in before you can comment on or make changes to this bug.