tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Michaels <jor...@viviotech.net>
Subject Re: "exception-message" header reveals path to document root in 404 response.
Date Sat, 11 Jan 2014 00:34:04 GMT
Although I suppose it's possible, I don't think it has to do with Railo. 
The Railo servlet doesn't handle requests for .html files... those are 
handled by Tomcat's default servlet.

Here are the default (suggested) handlers for a Railo install:

     <servlet-mapping>
         <servlet-name>CFMLServlet</servlet-name>
         <url-pattern>*.cfm</url-pattern>
         <url-pattern>*.cfml</url-pattern>
         <url-pattern>*.cfc</url-pattern>
         <!-- Basic SES Mappings -->
         <url-pattern>/index.cfc/*</url-pattern>
         <url-pattern>/index.cfm/*</url-pattern>
         <url-pattern>/index.cfml/*</url-pattern>
     </servlet-mapping>

     <!-- Mapping for Flex Gateway Servlet -->
     <servlet-mapping>
         <servlet-name>MessageBrokerServlet</servlet-name>
         <url-pattern>/flex2gateway/*</url-pattern>
         <url-pattern>/flashservices/gateway/*</url-pattern>
         <url-pattern>/messagebroker/*</url-pattern>
     </servlet-mapping>

     <!-- mapping for Railo's REST servlet -->
     <servlet-mapping>
         <servlet-name>RestServlet</servlet-name>
         <url-pattern>/rest/*</url-pattern>
     </servlet-mapping>

August, can you describe you're install a bit more? How did you install 
Railo? Did you start with a Vanilla Tomcat install and install a Railo 
war? Have you customized your install at all or added any custom configs?

Warm Regards,
Jordan Michaels

On 01/10/2014 04:02 PM, Caldarale, Charles R wrote:
>> From: August Kleimo [mailto:august@kleimo.com]
>> Subject: "exception-message" header reveals path to document root in 404 response.
>
>> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
>> is revealing the path to the document web root in an "exception-message"
>> header when a missing page is requested.
>
> If you were really worried about security, you wouldn't be running a version of Tomcat
that's 2.5 years old.  Seriously, upgrade.
>
>> Does anyone know of way to get rid of this header from the response?
>
> Use your own custom error page.
>
>> Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header
>> is coming from Tomcat.
>
> Nope.  Here's Tomcat's standard 404 response:
>
> HTTP/1.1 404 Not Found
> Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=utf-8
> Content-Length: 1027
> Date: Fri, 10 Jan 2014 23:59:34 GMT
>
> Most likely Railo is using a "friendly" error page.
>
>   - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message