tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: tomcat 6 vulnerability scan default error page help
Date Wed, 02 May 2018 20:00:48 GMT
On 02/05/18 20:51, Leon Rosenberg wrote:
> Hi Mark,
> 
> I agree with you that the complaint about version number is rather a minor
> one, however, I've had the same situation as one of our projects had to
> pass through a PCI Compliance test, and this is what they really test for.

Don't get me started on PCI compliance...

Oh, and Cris - take a look at the ErrorReportValve. That is where the
default error page is coming from.

Mark


> 
> regards
> Leon
> 
> On Wed, May 2, 2018 at 9:42 PM, Mark Thomas <markt@apache.org> wrote:
> 
>> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
>>> We are getting dinged by a vulnerability scan for the default not-found
>> error page being returned by Tomcat for a Status 404.
>>>
>>> On my dev server when requesting an invalid URL, Tomcat returns a Status
>> 404 page that displays the Tomcat version.  Right, I need to do something
>> about that.
>>>
>>> However, I can't find where the error-page for 404 is defined.  It's not
>> defined in:
>>> - webapps/ROOT/WEB-INF/web.xml
>>> - conf/web.xml
>>> - conf/server.xml
>>> - conf/context.xml
>>>
>>> Also, I can't find a notFound or error page either.
>>>
>>> How do I get rid of or override the default error / 404 / not-found page
>> if I can't find it or where it is currently defined?  Also, how is Tomcat
>> returning the default 404 error page if it does not exist?  I hope it's not
>> hardcoded in a servlet response.
>>>
>>> FYI, we're going to remove the ROOT, docs, and examples folders to
>> mitigate other scan findings.
>>>
>>> And we're using Tomcat 6.0.37 (ahem).
>>
>> And you are worried about returning the version number? Have you seen
>> how many real security issues (as opposed to this version number
>> non-issue) there are in 6.0.37? I can't help but think your priorities
>> are all wrong.
>>
>> Hiding the version info is trivial
>> Create the following directory structure:
>> $CATALINA_HOME/lib/org/apache/catalina/util
>>
>> Download this file:
>> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
>> java/org/apache/catalina/util/ServerInfo.properties?
>> revision=1803960&view=co
>>
>> Place it in that directory and modify the three properties to whatever
>> value you like.
>>
>> Restart Tomcat.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message