severity_rating: low created_at: 2019-01-04 03:36:29 vendor: cfptime https://hackerone.com/cfptime bounty_amount:

Poc:

https://www.cfptime.org/%20is%20not%20available%20anymore%20,%20pls%20go%20to%20WWW.EVIL.COM%20because%20this%20site.

Steps to reproduce:

1: Just browse this target on any browser
2: Target: http://www.cfptime.org/
3: add any content after For example: this is not available anymore pls check WWW.EVIL.COM because this site
4: Now browser reflect the content or text .

Fix :

Use Predefined 404 page , with fixed error content
It can be fixed by adding the following to the web server config:
ErrorDocument 404 "File not found."

Impact

Application allows users to inject any content on the 404 not found webpage
The issue is not critical , as it is only possible to inject plain text, no links or active content, to the error page.