tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leon Rosenberg <rosenberg.l...@gmail.com>
Subject Re: tomcat 6 vulnerability scan default error page help
Date Wed, 02 May 2018 19:37:37 GMT
Hi Cris,

try to add following to your web.xml
<error-page>
    <error-code>404</error-code>               <!-- HTTP status code -->
    <error-page>/error404.html</error-page>    <!-- static page, servlet
URL or JSP -->
</error-page>
regards
Leon


On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US <cberneburg@caci.com
> wrote:

> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message