How to prevent content-spoofing on Apache 2.4?

Question

The below URL is an example of content-spoofing. I need to show my 404 page when I hit a URL like below:

http://www.example.com/you%27re%20are%20looking%20for%20was%20not%20found%20on%20this%20server%20Please%20visit%20this%20webpage%20to%20fix%20the%20issue%20%28http%3a%2f%2fmalicious.site.evil.com%2f.%20Again%2cthe%20page%20

Currently I see Apache's default error page as below:

The requested URL /you're are looking for was not found on this server Please visit this webpage to fix the issue (http://malicious.site.evil.com/. Again,the page was not found on this server.

I have tried adding RewriteCond in .htaccess. I have also tried adding the below

AllowEncodedSlashes NoDecode

at the end of httpd.conf file as mentioned in this.

But nothing seems to be working.

Can someone please help?

Update

Below is snippet of .htaccess

ErrorDocument 404 /404.html

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^ /404.html [L,R=404]

I have custom error page in place in .htaccess. But how do I redirect URLs mentioned above to display my error page? — pix1289, Mar 14 '19 at 10:16
If you've correctly configured your custom error you shouldn't need to — Alan Birtles, Mar 14 '19 at 10:17
are .htaccess files enabled in your server configuration and are they allowed to set the `ErrorDocument`? — Alan Birtles, Mar 14 '19 at 11:10
also note that apache recommends against the use of .htaccess files unless you don't have access to the server configuration — Alan Birtles, Mar 14 '19 at 11:13
Yes, .htaccess file is enabled in server configuration and allowed to set ErrorDocument. I also have access to server configuration. — pix1289, Mar 15 '19 at 08:03

score 0 · Answer 1 · edited Nov 22 '19 at 09:58

0

Fix is “simple” but needs to be applied to every vulnerable vhost explicitly

VirtualHost *:80
[...]

AllowEncodedSlashes nodecode

/VirtualHost>



 VirtualHost *:433
[...]

AllowEncodedSlashes nodecode

/VirtualHost

dont forget the < at the start of virtual host

edited Nov 22 '19 at 09:58

SomeDutchGuy

2,249
4
16
42

answered Nov 22 '19 at 09:21

Lyonsy

1

How to prevent content-spoofing on Apache 2.4?

1 Answers1