tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: "exception-message" header reveals path to document root in 404 response.
Date Sat, 11 Jan 2014 09:52:32 GMT
On 11/01/2014 00:02, Caldarale, Charles R wrote:
>> From: August Kleimo [mailto:august@kleimo.com] 
>> Subject: "exception-message" header reveals path to document root in 404 response.
> 
>> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
>> is revealing the path to the document web root in an "exception-message"
>> header when a missing page is requested.
> 
> If you were really worried about security, you wouldn't be running a version of Tomcat
that's 2.5 years old.  Seriously, upgrade.

You have to wonder about the quality of a compliance scan that complains
about the exposure of a completely standard path for web content but
doesn't complain about running a server with 9 important, 2 moderate and
1 low security vulnerabilities. While a number of those vulnerabilities
may not impact the server, several of the DoS vulnerabilities certainly
will.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message