From users-return-264651-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Wed May 2 21:28:06 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 75F8618065D for ; Wed, 2 May 2018 21:28:05 +0200 (CEST) Received: (qmail 40284 invoked by uid 500); 2 May 2018 19:28:03 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 40269 invoked by uid 99); 2 May 2018 19:28:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2018 19:28:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 090E81A2159 for ; Wed, 2 May 2018 19:28:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.889 X-Spam-Level: * X-Spam-Status: No, score=1.889 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=caci.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id CXnphqUy2Z94 for ; Wed, 2 May 2018 19:28:01 +0000 (UTC) Received: from mailserver1.caci.com (mailserver1.caci.com [204.194.76.37]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 161815F522 for ; Wed, 2 May 2018 19:28:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=caci.com; i=@caci.com; q=dns/txt; s=caci; t=1525289281; x=1556825281; h=from:to:subject:date:message-id:mime-version; bh=y9Asg8U3i1QpRcCDWE6dDn80KOjihOEOLoNNNeTRhrA=; b=FudYoqwIJpZVWr+/zKLKZSkX4pwg+MoirAxIJ72H8XOfH1X/UU6MemTW yORG4mySjG41zVt1cXDwMKqW7Sp/uUxM3Z8oTfeOlLNg4c3PjOKdllb5N E7RsXPmHTNKEwmOlDE1YoF0HDtbHms4lXA31CSruEPGAbNNeTpXil2sk2 s=; X-IronPort-AV: E=Sophos;i="5.49,354,1520913600"; d="scan'208,217";a="35054750" Received: from cisexcasmb03-1a.caci.com ([10.14.203.14]) by mailserver1.caci.com with ESMTP/TLS/AES256-SHA; 02 May 2018 15:27:53 -0400 Received: from CISEXCASMB02-1A.caci.com (10.14.202.254) by CISEXCASMB03-1a.caci.com (10.14.203.14) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 2 May 2018 15:27:52 -0400 Received: from CISEXCASMB02-1A.caci.com ([fe80::bd15:b976:3bde:75b8]) by CISEXCASMB02-1a.caci.com ([fe80::bd15:b976:3bde:75b8%15]) with mapi id 15.00.1320.000; Wed, 2 May 2018 15:27:52 -0400 From: "Berneburg, Cris J. - US" To: "users@tomcat.apache.org" Subject: tomcat 6 vulnerability scan default error page help Thread-Topic: tomcat 6 vulnerability scan default error page help Thread-Index: AdPiS3X4vXhOcATVTMy1wNbGnWVoTw== Date: Wed, 2 May 2018 19:27:52 +0000 Message-ID: <641c4be86cec4f2d9e42351ced7d1b05@CISEXCASMB02-1a.caci.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.133.1.49] Content-Type: multipart/alternative; boundary="_000_641c4be86cec4f2d9e42351ced7d1b05CISEXCASMB021acacicom_" MIME-Version: 1.0 --_000_641c4be86cec4f2d9e42351ced7d1b05CISEXCASMB021acacicom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We are getting dinged by a vulnerability scan for the default not-found err= or page being returned by Tomcat for a Status 404. On my dev server when requesting an invalid URL, Tomcat returns a Status 40= 4 page that displays the Tomcat version. Right, I need to do something abo= ut that. However, I can't find where the error-page for 404 is defined. It's not de= fined in: - webapps/ROOT/WEB-INF/web.xml - conf/web.xml - conf/server.xml - conf/context.xml Also, I can't find a notFound or error page either. How do I get rid of or override the default error / 404 / not-found page if= I can't find it or where it is currently defined? Also, how is Tomcat ret= urning the default 404 error page if it does not exist? I hope it's not ha= rdcoded in a servlet response. FYI, we're going to remove the ROOT, docs, and examples folders to mitigate= other scan findings. And we're using Tomcat 6.0.37 (ahem). -- Cris Berneburg CACI Lead Software Engineer --_000_641c4be86cec4f2d9e42351ced7d1b05CISEXCASMB021acacicom_--