tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berneburg, Cris J. - US" <>
Subject tomcat 6 vulnerability scan default error page help
Date Wed, 02 May 2018 19:27:52 GMT
We are getting dinged by a vulnerability scan for the default not-found error page being returned
by Tomcat for a Status 404.

On my dev server when requesting an invalid URL, Tomcat returns a Status 404 page that displays
the Tomcat version.  Right, I need to do something about that.

However, I can't find where the error-page for 404 is defined.  It's not defined in:
- webapps/ROOT/WEB-INF/web.xml
- conf/web.xml
- conf/server.xml
- conf/context.xml

Also, I can't find a notFound or error page either.

How do I get rid of or override the default error / 404 / not-found page if I can't find it
or where it is currently defined?  Also, how is Tomcat returning the default 404 error page
if it does not exist?  I hope it's not hardcoded in a servlet response.

FYI, we're going to remove the ROOT, docs, and examples folders to mitigate other scan findings.

And we're using Tomcat 6.0.37 (ahem).

Cris Berneburg
CACI Lead Software Engineer

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message