[22643] in bugtraq
Re: Is there user Anna at your host ?
daemon@ATHENA.MIT.EDU (Bill Munger)
Thu Sep 13 13:43:34 2001
Date: Thu, 13 Sep 2001 13:32:59 -0400 (EDT)
Message-Id: <200109131732.f8DHWxJ03906@webmail.lightship.net>
From: "Bill Munger" <bmunger@lightshipmail.net>
To: bugtraq@securityfocus.com
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
The usefulness of this method is very limited. The numeric response code
(200, 403, 404, 500 etc) that apache sends along with a custom error page
remains unchanged. Even if your document says something generic (or even
false), apache is still being quite specific (and truthful) about the
problem it is reporting. Anyone doing a brute scan will likely pay more
attention to the numeric code than to anything in the document body.
This might fool a curious punk who is typing things in the location bar of
his mainstream browser, but it is basically useless against any attack more
sophisticated (i.e. automated) than that. Protection that is so trivially
circumvented is perhaps worse than none at all, as it can lead one to let
down his guard (c.f. trusting HTTP_REFERER for resource authorization).
Not to mention the obvious problem of hiding useful trouble-shooting
information from legitemate users/developers/administrators, etc. The
apache 'ErrorDocument' directive can make your site prettier and more user
friendly, but will not do much to increase security.
Mariusz Woloszyn <emsi@ipartners.pl> wrote:
> You can allways change error files in apache conf:
>
> ErrorDocument 404 /error/blah.html
> ErrorDocument 403 /error/blah.html
>
>
> --
> Mariusz Wołoszyn
> Internet Security Specialist, Internet Partners
