httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hugh E Cruickshank" <h...@forsoft.com>
Subject RE: [users@httpd] Directory hiding
Date Tue, 16 Sep 2008 05:57:49 GMT
From: Nick Kew Sent: September 15, 2008 19:43
> 
> On 16 Sep 2008, at 02:44, Hugh E Cruickshank wrote:
> 
> > Right now if someone were to attempt to access these subdirectories
> > (i.e. http://www.example.com/cgi-bin) they would receive a 403
> > Forbidden error message. Unfortunately this is not quite acceptable
> > to the IBM Rational AppScan utility which recommends that a 404
> > Not found error should be issued.
> 
> I suspect you're misreading your AppScan.

That is a good possibility.

> It's warning about potentially exposing your filesystem information.

Most probably.

> But there's nothing secret about a directory containing a web-facing
> application!

That may be the case but their recommendation is still: Issue a "404 -
Not Found" response status code for a forbidden resource, or remove it
completely.

> Having said that, rtfm ErrorDocument for one way to do what you ask,
> if it's for some ignorant PHB's box-ticking exercise.

Colour me stupid but as far as I can tell ErrorDocument only provides
for the replacement of the text of a message. I can not see how it can
be used to force a 404 instead of a 403.

Thanks for your response anyway.

Regards, Hugh

-- 
Hugh E Cruickshank, Forward Software, www.forward-software.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message