tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: "exception-message" header reveals path to document root in 404 response.
Date Sat, 11 Jan 2014 09:52:32 GMT
On 11/01/2014 00:02, Caldarale, Charles R wrote:
>> From: August Kleimo [] 
>> Subject: "exception-message" header reveals path to document root in 404 response.
>> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
>> is revealing the path to the document web root in an "exception-message"
>> header when a missing page is requested.
> If you were really worried about security, you wouldn't be running a version of Tomcat
that's 2.5 years old.  Seriously, upgrade.

You have to wonder about the quality of a compliance scan that complains
about the exposure of a completely standard path for web content but
doesn't complain about running a server with 9 important, 2 moderate and
1 low security vulnerabilities. While a number of those vulnerabilities
may not impact the server, several of the DoS vulnerabilities certainly


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message