Re: Is there user Anna at your host ?

["Bill Munger" <bmunger () lightshipmail net>]

The usefulness of this method is very limited. The numeric response code 
(200, 403, 404, 500 etc) that apache sends along with a custom error page 
remains unchanged. Even if your document says something generic (or even 
false), apache is still being quite specific (and truthful) about the 
problem it is reporting. Anyone doing a brute scan will likely pay more 
attention to the numeric code than to anything in the document body.

This might fool a curious punk who is typing things in the location bar of 
his mainstream browser, but it is basically useless against any attack more 
sophisticated (i.e. automated) than that. Protection that is so trivially 
circumvented is perhaps worse than none at all, as it can lead one to let 
down his guard (c.f. trusting HTTP_REFERER for resource authorization).

Not to mention the obvious problem of hiding useful trouble-shooting 
information from legitemate users/developers/administrators, etc. The 
apache 'ErrorDocument' directive can make your site prettier and more user 
friendly, but will not do much to increase security.

Mariusz Woloszyn <emsi () ipartners pl> wrote:

> You can allways change error files in apache conf:
>
> ErrorDocument 404 /error/blah.html
> ErrorDocument 403 /error/blah.html
>
>
> --
> Mariusz Wo³oszyn
> Internet Security Specialist, Internet Partners