Public bug reported:

Due to receiving a few security reports about it, we've recently re-
styled the 404 response pages for most of the Mahara project sites. The
reports we received pointed out that the default Apache 404 response
page prints the url-decoded (but still html-escaped) query portion of
the URL on the page. This could result in attackers printing arbitrary
text onto the page, with spaces and such, which conceivably could be
part of a phishing attack.

To keep thing simple, we replaced it with a static empty page that
doesn't include any details about the requested query. However, ideally
we'd want to print out a page more like Google's 404 page:

1. Styled in the site's theme
2. Contains the requested URL, but in a way that clearly sets it apart (i.e., 
url-encoded so that spaces are transformed into %20, and possibly truncated if 
it's quite long.)
3. Maybe translated as well.

We could achieve this by shipping a PHP script with Mahara, which a
Mahara site admin could then configure their Apache server to use for
its 404 error document, via this directive:

ErrorDocument 404 /errors/404.php

We might also provide a "sample.htaccess" file, sitting at the top level
of the project (outside the htdocs directory) to show people how to set
this up. (We used to include a .htaccess file in Mahara's htdocs by
default, but this could cause crashes if people were using different
servers or different versions of Apache).

** Affects: mahara
     Importance: Wishlist
         Status: Confirmed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1626315

Title:
  Wishlist: Apache-compatible 404 error response page

Status in Mahara:
  Confirmed

Bug description:
  Due to receiving a few security reports about it, we've recently re-
  styled the 404 response pages for most of the Mahara project sites.
  The reports we received pointed out that the default Apache 404
  response page prints the url-decoded (but still html-escaped) query
  portion of the URL on the page. This could result in attackers
  printing arbitrary text onto the page, with spaces and such, which
  conceivably could be part of a phishing attack.

  To keep thing simple, we replaced it with a static empty page that
  doesn't include any details about the requested query. However,
  ideally we'd want to print out a page more like Google's 404 page:

  1. Styled in the site's theme
  2. Contains the requested URL, but in a way that clearly sets it apart (i.e., 
url-encoded so that spaces are transformed into %20, and possibly truncated if 
it's quite long.)
  3. Maybe translated as well.

  We could achieve this by shipping a PHP script with Mahara, which a
  Mahara site admin could then configure their Apache server to use for
  its 404 error document, via this directive:

  ErrorDocument 404 /errors/404.php

  We might also provide a "sample.htaccess" file, sitting at the top
  level of the project (outside the htdocs directory) to show people how
  to set this up. (We used to include a .htaccess file in Mahara's
  htdocs by default, but this could cause crashes if people were using
  different servers or different versions of Apache).

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1626315/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to