tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordan Michaels <jor...@viviotech.net>
Subject Re: "exception-message" header reveals path to document root in 404 response.
Date Sat, 11 Jan 2014 00:50:54 GMT
Thanks August, good to know.

Warm Regards,
Jordan Michaels

On 01/10/2014 04:48 PM, August Kleimo wrote:
> Hi All,  Thanks for all your replies.  Turns out it was in fact Railo.  I
> searched the Railo repo on GitHub and found a reference to that header.  I
> was able to overwrite it with a blank string using this line of code.
>
> <cfset getPageContext().getResponse().setHeader("exception-message","")>
>
>
>
>
> On Fri, Jan 10, 2014 at 4:36 PM, Jordan Michaels <jordan@viviotech.net>wrote:
>
>> It may also be useful to know if you get this same "exception-message"
>> header when you get a 404 from the Railo servlet (from a request for a .cfm
>> file).
>>
>> It may help determine if Railo is involved or not.
>>
>>
>> Warm Regards,
>> Jordan Michaels
>>
>> On 01/10/2014 04:02 PM, Caldarale, Charles R wrote:
>>
>>> From: August Kleimo [mailto:august@kleimo.com]
>>>> Subject: "exception-message" header reveals path to document root in 404
>>>> response.
>>>>
>>>
>>>   I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
>>>> is revealing the path to the document web root in an "exception-message"
>>>> header when a missing page is requested.
>>>>
>>>
>>> If you were really worried about security, you wouldn't be running a
>>> version of Tomcat that's 2.5 years old.  Seriously, upgrade.
>>>
>>>   Does anyone know of way to get rid of this header from the response?
>>>>
>>>
>>> Use your own custom error page.
>>>
>>>   Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this
>>>> header
>>>> is coming from Tomcat.
>>>>
>>>
>>> Nope.  Here's Tomcat's standard 404 response:
>>>
>>> HTTP/1.1 404 Not Found
>>> Server: Apache-Coyote/1.1
>>> Content-Type: text/html;charset=utf-8
>>> Content-Length: 1027
>>> Date: Fri, 10 Jan 2014 23:59:34 GMT
>>>
>>> Most likely Railo is using a "friendly" error page.
>>>
>>>    - Chuck
>>>
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>>> MATERIAL and is thus for use only by the intended recipient. If you
>>> received this in error, please contact the sender and delete the e-mail and
>>> its attachments from all computers.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message