tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berneburg, Cris J. - US" <cberneb...@caci.com>
Subject RE: tomcat 6 vulnerability scan default error page help
Date Mon, 07 May 2018 14:39:37 GMT
Leon, Mark, and Alejandro

Thanks for your time and suggestions.  I appreciate it.

cjb> We are getting dinged by a vulnerability scan for the default
cjb> not-found error page being returned by Tomcat for a Status 404.
cjb> [...]
cjb> However, I can't find where the error-page for 404 is defined.
cjb> [...] How do I get rid of or override the default error
cjb> / 404 / not-found page

LR> try to add following to your web.xml <error-page>

MT> $CATALINA_HOME/lib/org/apache/catalina/util
MT> Download this file: [...] ServerInfo.properties
MT> [...] modify the three properties to whatever value you like

AV> unpack catalina.jar in tomcat lib directory,
AV> then go to org\apache\catalina\util\,
AV> open ServerInfo.properties and edit it

I'm thinking of opting for the simplest and quickest possible solution, which is to add an
<error-page> section to the main Tomcat conf/web.xml file but *not* supply the static
page specified in the <location>.

Experimenting with that arrangement returns a 404 but no page contents, which conforms to
the security finding of not returning the default 404 error page.

The least complex solution is most likely to succeed because it has the greatest chance of
being deployed correctly within our tight deadline.

--
Cris Berneburg
CACI Lead Software Engineer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message