> -----Original Message----- > From: Matt Rigor [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 23, 2007 4:16 PM > To: users@httpd.apache.org > Subject: Re: [EMAIL PROTECTED] changing the error status code for > forbiddenresources > > Joshua, > > Three questions in hopes of bettering my understanding of Apache. > > Why not just edit the conf file to take the 403 error and have it > redirect to the Apache 404 error page > within the error directory? Example below. > > ErrorDocument 403 /error/HTTP_NOT_FOUND.html.var > ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var > > As an alternative, why not just edit the actual 403 error > page contents > to reflect the error you desire. > > Finally, You mention that "it's more than a waste of time, it is > deliberately crippling of HTTP". Why?
It's a waste of time because there's no risk. The server is already denying the resource.. It's "crippling" because the request and response headers were defined to help set-up and debug the web as it grew. If every server lied about what was really happening it would be much harder to carry out said set-up and debug. However; I wasn't going to mention this, but since the question has arisen, RFC 2616 section 10.4.4 actually *does* allow the server to masquerade a 403 as a 404 if "the server does not wish to make this information [reason request refused] available to the client"... I understand the reluctance to support these "security by obscurity" ploys, but I think in this case that maybe the RFC has it right I guess it's a bit like the common trick on firewalls whereby a request for a denied socket is silently dropped (nothing sent back to client) rather than actively refused (refusal sent back to client immediately). The idea is that the attacker can't distinguish between a real block at the FW and simple network or application latency and has to wait a long time to find out. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > > > >>> [EMAIL PROTECTED] 5/22/2007 7:28 PM >>> > On 5/22/07, Bhagwati Gupta <[EMAIL PROTECTED]> wrote: > > Hi, > > I am running Apache 2.2.3 on my Debian 3.1 sarge machine. My > local > > web security team has examined the system and generated a detailed > > security report. One of the issues that I am having difficulty to > fix > > relates to hidden directories. I have been advised to change the > server > > configuration such that '404 - not found' response is issued for > > forbidden resources as opposed to '403 - forbidden' response. I have > > tried looking on the web but have yet to find anything that could > solve > > my problem. I am not sure exactly how server responses for hidden > > directories (or missing files) can be customized. Could you please > help? > > Thanks! > > Sounds like a silly waste of time to me. (Actually, it's more than a > waste of time, it is deliberately crippling of HTTP.) > > But anyway, if you want to lie about error codes, you can go all the > way and change the to redirects: > > ErrorDocument 404 http://example.com/not_found.html > ErrorDocument 403 http://example.com/not_found.html > > If you just want to lie about 403 only, then the only way I know > (other than editing the code) is to point to a cgi script that emits > its own "Status: 404" header: > ErrorDocument 403 /cgi-bin/lie-about-the-status-code.pl > > Joshua. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]