My apologies for posting this question if it has already been hashed out before. I figured I should post this question here then just an arbitrary bug report.
My question relates to a recent penetration test that reported a content spoofing finding against that the root cause was simply the Apache default 404 response code. This appears to just be the generic nature of the 404 message that it returns the response of what the user input was and while there is quite a bit from OWASP on the content spoofing topic I wasnt sure if this is truly a bug or up for interpretation. Should this be something configurable in Apache without having to create a custom 404 errordocument, etc? Should it not reflect the user input by default unless configured to do so? Example: (response code is a 404 but looks like a 302 to the user and could result in phishing) 192.168.2.1/example.com has moved. Please go to http://www.attacker.com/. An unlimited number of these things could be tried using the default nature of the 404 page so curious what others opinions are. Thx in advance, Danny
