Brian, a question for clarification. When you say "customized 404 response", you are not referring to a customized error document (as described briefly in the httpd.conf file) but rather to having changed the headers that the server returns when queried with a GET request, correct? And wouldn't this require changing source code and compiling a custom build of apache?I'm guessing that you tested a server wth some kind of customized 404 response that neglected to include a charset specification. That's not a vulnerability in Apache, that is poor site configuration.
Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
p7sOjYzlQMmpC.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/