[22646] in bugtraq
Re: Is there user Anna at your host ?
daemon@ATHENA.MIT.EDU (Heikki Korpela)
Fri Sep 14 01:32:49 2001
Date: Thu, 13 Sep 2001 21:08:09 +0300
From: Heikki Korpela <heko@iki.fi>
To: Bill Munger <bmunger@lightshipmail.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20010913210809.A1212@openbsd.org>
Reply-To: Heikki Korpela <heko@iki.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200109131732.f8DHWxJ03906@webmail.lightship.net>; from bmunger@lightshipmail.net on Thu, Sep 13, 2001 at 01:32:59PM -0400
Bill Munger wrote on "Re: Is there user Anna at your host ?":
> The usefulness of this method is very limited. The numeric response code
> (200, 403, 404, 500 etc) that apache sends along with a custom error page
> remains unchanged.
If you use an URL instead of a pathname, the user will always get a 302 / 200
reply.
% lynx -mime_header -head 'http://localhost/no/such/url' | grep HTTP
HTTP/1.1 404 Not Found
% lynx -mime_header -head 'http://localhost/images/' | grep HTTP
HTTP/1.1 403 Forbidden
% echo 'ErrorDocument 404 http://localhost/sample.html' >> /var/www/conf/httpd.conf
% echo 'ErrorDocument 403 http://localhost/sample.html' >> /var/www/conf/httpd.conf
% sudo apachectl restart
/usr/sbin/apachectl restart: httpd restarted
% lynx -mime_header -head 'http://localhost/no/such/url' | grep HTTP
HTTP/1.1 302 Found
% lynx -mime_header -head 'http://localhost/images/' | grep HTTP
HTTP/1.1 302 Found
% perl -pi -e 's|ErrorDocument 40([34]) http://localhost/sample.html|ErrorDocument 40\1 /sample.html|' /var/www/conf/httpd.conf
% sudo apachectl restart
/usr/sbin/apachectl restart: httpd restarted
% lynx -mime_header -head 'http://localhost/images/' | grep HTTP
HTTP/1.1 403 Forbidden
% lynx -mime_header 'http://localhost/no/such/url'
HTTP/1.1 404 Not Found
Date: Thu, 13 Sep 2001 17:59:40 GMT
Server: Apache/1.3.19
Last-Modified: Thu, 13 Sep 2001 17:50:02 GMT
ETag: "5-16-3ba0f1ca"
Accept-Ranges: bytes
Content-Length: 22
Connection: close
Content-Type: text/html
Hi, I'm a sample page
Of course, this will break up some sites where automated tools (e.g.,
a client that fetches a source tarball from somewhere) may rely on the
status code for proper operation. In general,
ErrorDocument <status code> <URL> is bad.
