headers
Peter VE | 4 Nov 11:52
Picon

mod_security status 200

Hi,

I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to
return a 200 OK for every single request that is made to a non-existing
page.
How can I do this ?
(or do I need to use mod_rewrite for this)

thanks

P

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
Permalink | Reply |
headers
Ryan Barnett | 4 Nov 13:08
Picon

Re: mod_security status 200

Are you just interested in fooling scanners?  If so, then you can trap outbound 404 html data with mod_security's output filter like this -
 
SecFilterSelective OUTOUT "The requested file you request does not exist" status:200
 
You need to trigger on the html text of your 404 pages rather then HTTP Status code line as the output filter does not capture that data.  I believe that Ivan is implementing a new directive to allow you to trap outbound status codes.
 
Keep in mind, however that while this will change the status code to 200, the html text that will be displayed will not of much help to real users who have requested a non-existent page.  For example, with my Apache setup this is what is returned -
 

HTTP/1.1 200 OK
Date: Fri, 04 Nov 2005 12:07:24 GMT
Server: Microsoft-IIS/5.0
Content-Length: 497
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>200 OK</title>
</head><body>
<h1>OK</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 you <at> example.com and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
Connection closed by foreign host.

-Ryan

 
On 11/4/05, Peter VE <xxpvec <at> imperial.be> wrote:
Hi,

I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to
return a 200 OK for every single request that is made to a non-existing
page.
How can I do this ?
(or do I need to use mod_rewrite for this)

thanks

P




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users



--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
Permalink | Reply |

Gmane