You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by FANG YAP <fa...@gmail.com> on 2020/08/04 03:10:15 UTC
Vulnerability on Apache Tomcat Default Files
Hello Apache Tomcat,
I have an issue on the subject mentioned as the vulnerability scan flagged
out.
Plugin: 12085
Plugin Text: Apache Tomcat Default Files
Protocol: TCP
Port: 8080
Apache Tomcat 8.5.55 (x64-bit machines)
In my app folder (located in the webapp folder) I already had the necessary
error pages. Also indicated the error jsp file in the app's web.xml. How to
know what should be shown when they(user) enter the wrong site for tomcat?
Should it be showing this page below or it should show my custom error page
set in app's web.xml?
HTTP 404 No Found
The webpage cannot be found..
Most likely causes:...
- There might be a typing error in the address
- If you clicked on a link, it may be out of date
What you can try:
.....
Rgs,
Fang
Re: Vulnerability on Apache Tomcat Default Files
Posted by FANG YAP <fa...@gmail.com>.
hello chris,
they only mention on port 8080 and no other info. I will try that telnet
command and see.
On Thu, 6 Aug 2020 at 23:20, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> Fang,
>
> On 8/5/20 22:16, FANG YAP wrote:
> > Did that as well, but the scanner still flagged but it is to say is
> > a false positive result in their scan?
> Well, they are complaining that Tomcat is revealing its version number
> (right?). That's not a false-positive. It's just ... I guess being
> picky. I get it: it's best not to reveal anything.
>
> But if their scanner is still finding it, you aren't done yet.
>
> Can they tell you what request causes this "failure" to occur? Maybe
> you fixed 404s but not 400s?
>
> Try making a request like this:
>
> $ telnet localhost 8080
> GET /foo HTML/4.0
> [newline]
> [newline]
>
> See what comes back. That should come back as a 400 Bad Request and it
> might include Tomcat's version information, etc.
>
> - -chris
>
> > On Wed, 5 Aug 2020, 04:21 Christopher Schultz,
> <ch...@christopherschultz.net>
> > wrote:
> >
> > Fang,
> >
> > On 8/3/20 23:10, FANG YAP wrote:
> >>>> I have an issue on the subject mentioned as the vulnerability
> >>>> scan flagged out.
> >>>>
> >>>> Plugin: 12085 Plugin Text: Apache Tomcat Default Files
> >>>> Protocol: TCP Port: 8080
> >>>>
> >>>> Apache Tomcat 8.5.55 (x64-bit machines)
> >>>>
> >>>> In my app folder (located in the webapp folder) I already had
> >>>> the necessary error pages. Also indicated the error jsp file
> >>>> in the app's web.xml. How to know what should be shown when
> >>>> they(user) enter the wrong site for tomcat?
> >>>>
> >>>> Should it be showing this page below or it should show my
> >>>> custom error page set in app's web.xml? HTTP 404 No Found The
> >>>> webpage cannot be found.. Most likely causes:... - There
> >>>> might be a typing error in the address - If you clicked on a
> >>>> link, it may be out of date
> >>>>
> >>>> What you can try: .....
> >
> > This doesn't look like a vuln to me. Your scanner is being
> > overzealous.
> >
> > But if you want to replace the 404 Not Found page when you request
> > /noapp and your application is deployed to /myapp then you can't
> > fix the problem in "myapp". You have to make other arrangements.
> >
> > The easiest thing to do is deploy a ROOT application with all
> > errors (including 404) pointing to a custom error page. You can do
> > this in your ROOT application's WEB-INF/web.xml file.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sH7QACgkQHPApP6U8
> pFjvkBAAgYz1A1h3Doge7eQXBX04+fOnmg70Dpyj4wCZn5KYyGVD15AYTmNBMgD9
> VUOfOQ0TpMnoz+A4KiTovfh9sZL0zk+3iXbzwOLv3WD6XvkAM7KvX9YClASMHZeE
> juk/jfcD7J5Af1y+vSkxB8CtrMba2SkouMkRmxwxF9aZzjbHpGFilZ/fNwzSxS5p
> npoLpl789kwcopyQy5V21fMgUaCvEtWPcnvZ6T6O59NhRHNAWFFQw00yZS0SUd34
> jg7UuojpTn5a+tZXwpPYk93vXoEEkuwla4zoD9zgqMBIqZUL4NXDcdGpUNFvRSke
> k8ZS4FMfoahX8RCLD5Sacybtn2qgV5h53ADUY2SXC2mP6lETnhcx7TF/b6Wf4bnK
> fPyDCpQw+BN36KWibjLjvMXd7z+SvG7LlBngpn6DthQQWorTomXxRHSvPYXO7W1S
> ALVc43cFe0Zv6+RdzJIQd5SKc861+jPNJwWfECfQ8yM4uiXXLj86BtBjETVDnbpx
> zOLbnTHBzSCHZNK+HfZmIbTbq8Jj/StQNdnoOc4CDCBOU77U3YOHeVWmN5FCwN5L
> gz++VTYAHvWZ9I6ZB5/5+7DRC4ug219uQr6IUO+POsxlFbLu8mV85vJqZ6AWX8vz
> Dzch6xmPycXeZFADDgreycFNY9KY+rK/f2i/U3uhaUFw8t+8A2M=
> =Ux+M
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Vulnerability on Apache Tomcat Default Files
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Fang,
On 8/5/20 22:16, FANG YAP wrote:
> Did that as well, but the scanner still flagged but it is to say is
> a false positive result in their scan?
Well, they are complaining that Tomcat is revealing its version number
(right?). That's not a false-positive. It's just ... I guess being
picky. I get it: it's best not to reveal anything.
But if their scanner is still finding it, you aren't done yet.
Can they tell you what request causes this "failure" to occur? Maybe
you fixed 404s but not 400s?
Try making a request like this:
$ telnet localhost 8080
GET /foo HTML/4.0
[newline]
[newline]
See what comes back. That should come back as a 400 Bad Request and it
might include Tomcat's version information, etc.
- -chris
> On Wed, 5 Aug 2020, 04:21 Christopher Schultz,
<ch...@christopherschultz.net>
> wrote:
>
> Fang,
>
> On 8/3/20 23:10, FANG YAP wrote:
>>>> I have an issue on the subject mentioned as the vulnerability
>>>> scan flagged out.
>>>>
>>>> Plugin: 12085 Plugin Text: Apache Tomcat Default Files
>>>> Protocol: TCP Port: 8080
>>>>
>>>> Apache Tomcat 8.5.55 (x64-bit machines)
>>>>
>>>> In my app folder (located in the webapp folder) I already had
>>>> the necessary error pages. Also indicated the error jsp file
>>>> in the app's web.xml. How to know what should be shown when
>>>> they(user) enter the wrong site for tomcat?
>>>>
>>>> Should it be showing this page below or it should show my
>>>> custom error page set in app's web.xml? HTTP 404 No Found The
>>>> webpage cannot be found.. Most likely causes:... - There
>>>> might be a typing error in the address - If you clicked on a
>>>> link, it may be out of date
>>>>
>>>> What you can try: .....
>
> This doesn't look like a vuln to me. Your scanner is being
> overzealous.
>
> But if you want to replace the 404 Not Found page when you request
> /noapp and your application is deployed to /myapp then you can't
> fix the problem in "myapp". You have to make other arrangements.
>
> The easiest thing to do is deploy a ROOT application with all
> errors (including 404) pointing to a custom error page. You can do
> this in your ROOT application's WEB-INF/web.xml file.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sH7QACgkQHPApP6U8
pFjvkBAAgYz1A1h3Doge7eQXBX04+fOnmg70Dpyj4wCZn5KYyGVD15AYTmNBMgD9
VUOfOQ0TpMnoz+A4KiTovfh9sZL0zk+3iXbzwOLv3WD6XvkAM7KvX9YClASMHZeE
juk/jfcD7J5Af1y+vSkxB8CtrMba2SkouMkRmxwxF9aZzjbHpGFilZ/fNwzSxS5p
npoLpl789kwcopyQy5V21fMgUaCvEtWPcnvZ6T6O59NhRHNAWFFQw00yZS0SUd34
jg7UuojpTn5a+tZXwpPYk93vXoEEkuwla4zoD9zgqMBIqZUL4NXDcdGpUNFvRSke
k8ZS4FMfoahX8RCLD5Sacybtn2qgV5h53ADUY2SXC2mP6lETnhcx7TF/b6Wf4bnK
fPyDCpQw+BN36KWibjLjvMXd7z+SvG7LlBngpn6DthQQWorTomXxRHSvPYXO7W1S
ALVc43cFe0Zv6+RdzJIQd5SKc861+jPNJwWfECfQ8yM4uiXXLj86BtBjETVDnbpx
zOLbnTHBzSCHZNK+HfZmIbTbq8Jj/StQNdnoOc4CDCBOU77U3YOHeVWmN5FCwN5L
gz++VTYAHvWZ9I6ZB5/5+7DRC4ug219uQr6IUO+POsxlFbLu8mV85vJqZ6AWX8vz
Dzch6xmPycXeZFADDgreycFNY9KY+rK/f2i/U3uhaUFw8t+8A2M=
=Ux+M
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerability on Apache Tomcat Default Files
Posted by FANG YAP <fa...@gmail.com>.
Hi Chris,
Did that as well, but the scanner still flagged but it is to say is a false
positive result in their scan?
Regards with Thanks,
Fang
On Wed, 5 Aug 2020, 04:21 Christopher Schultz, <ch...@christopherschultz.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Fang,
>
> On 8/3/20 23:10, FANG YAP wrote:
> > I have an issue on the subject mentioned as the vulnerability scan
> > flagged out.
> >
> > Plugin: 12085 Plugin Text: Apache Tomcat Default Files Protocol:
> > TCP Port: 8080
> >
> > Apache Tomcat 8.5.55 (x64-bit machines)
> >
> > In my app folder (located in the webapp folder) I already had the
> > necessary error pages. Also indicated the error jsp file in the
> > app's web.xml. How to know what should be shown when they(user)
> > enter the wrong site for tomcat?
> >
> > Should it be showing this page below or it should show my custom
> > error page set in app's web.xml? HTTP 404 No Found The webpage
> > cannot be found.. Most likely causes:... - There might be a typing
> > error in the address - If you clicked on a link, it may be out of
> > date
> >
> > What you can try: .....
>
> This doesn't look like a vuln to me. Your scanner is being overzealous.
>
> But if you want to replace the 404 Not Found page when you request
> /noapp and your application is deployed to /myapp then you can't fix
> the problem in "myapp". You have to make other arrangements.
>
> The easiest thing to do is deploy a ROOT application with all errors
> (including 404) pointing to a custom error page. You can do this in
> your ROOT application's WEB-INF/web.xml file.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8pwxQACgkQHPApP6U8
> pFieCA//T/Vr3DXF0AFJGPwo++x81iwy80VOSfRL6v0NNOxlKkBa7dPaUJuKYr+F
> GzXaYf/FBH50dAVIfjkTtJQGvfCeEz9aqsYMCPpyzeFjtzU0FqUOrAmHJEzuBAYQ
> 85Vy5MOsncDb/QhW9wMi0Vt5ffc3p4ZavF8fU1D4zJk5ecDXZtz45H4MlOp06KH0
> sUJX2wLPtWUuBLt9AvgxgXwqAmq1XJBulLAUcR8gUVkhmxB8KS/peR/eKcf11Nlk
> FalhVIgHK2BkXouvaXMawbix6qt7+sd+AfmcW4dXcoiDLkuMz0MAx/FBxXP4nELF
> +P5egFRE+wdTXLRr436ydhjGxhSw9nS9LiSpgSWLWBMw29/oSo+jhVQtuuVH133m
> 9IWWYgneWGvXEo02MmmMbt1pZ0KVPeWVhjTDpo48xfutbRCAZCK1xwtUzz96wy2E
> PRpEscyjQQzEJ11Rglu3gi/bq/YIKZLZd4n5qH2c0Z11mff2KXD5sDbZsEKRGCDR
> i8EEPMss5RaRF7JyqjDU+r1FvbLDMSxOb3YeX/MvuKTPvqHuSkvNLMeKIKHxOZfC
> hwLWYY9Cu9ARUj3LYpaDj8DGFf4Jotn4LREOhhlaC4XZZQ2yPIOaimvQKtOjmdqF
> E9Dgqed9lutJ9n3vQysppaijUo9oEQ14pxeU+TKK6/JBcjD/sN4=
> =YcwV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Vulnerability on Apache Tomcat Default Files
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Fang,
On 8/3/20 23:10, FANG YAP wrote:
> I have an issue on the subject mentioned as the vulnerability scan
> flagged out.
>
> Plugin: 12085 Plugin Text: Apache Tomcat Default Files Protocol:
> TCP Port: 8080
>
> Apache Tomcat 8.5.55 (x64-bit machines)
>
> In my app folder (located in the webapp folder) I already had the
> necessary error pages. Also indicated the error jsp file in the
> app's web.xml. How to know what should be shown when they(user)
> enter the wrong site for tomcat?
>
> Should it be showing this page below or it should show my custom
> error page set in app's web.xml? HTTP 404 No Found The webpage
> cannot be found.. Most likely causes:... - There might be a typing
> error in the address - If you clicked on a link, it may be out of
> date
>
> What you can try: .....
This doesn't look like a vuln to me. Your scanner is being overzealous.
But if you want to replace the 404 Not Found page when you request
/noapp and your application is deployed to /myapp then you can't fix
the problem in "myapp". You have to make other arrangements.
The easiest thing to do is deploy a ROOT application with all errors
(including 404) pointing to a custom error page. You can do this in
your ROOT application's WEB-INF/web.xml file.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8pwxQACgkQHPApP6U8
pFieCA//T/Vr3DXF0AFJGPwo++x81iwy80VOSfRL6v0NNOxlKkBa7dPaUJuKYr+F
GzXaYf/FBH50dAVIfjkTtJQGvfCeEz9aqsYMCPpyzeFjtzU0FqUOrAmHJEzuBAYQ
85Vy5MOsncDb/QhW9wMi0Vt5ffc3p4ZavF8fU1D4zJk5ecDXZtz45H4MlOp06KH0
sUJX2wLPtWUuBLt9AvgxgXwqAmq1XJBulLAUcR8gUVkhmxB8KS/peR/eKcf11Nlk
FalhVIgHK2BkXouvaXMawbix6qt7+sd+AfmcW4dXcoiDLkuMz0MAx/FBxXP4nELF
+P5egFRE+wdTXLRr436ydhjGxhSw9nS9LiSpgSWLWBMw29/oSo+jhVQtuuVH133m
9IWWYgneWGvXEo02MmmMbt1pZ0KVPeWVhjTDpo48xfutbRCAZCK1xwtUzz96wy2E
PRpEscyjQQzEJ11Rglu3gi/bq/YIKZLZd4n5qH2c0Z11mff2KXD5sDbZsEKRGCDR
i8EEPMss5RaRF7JyqjDU+r1FvbLDMSxOb3YeX/MvuKTPvqHuSkvNLMeKIKHxOZfC
hwLWYY9Cu9ARUj3LYpaDj8DGFf4Jotn4LREOhhlaC4XZZQ2yPIOaimvQKtOjmdqF
E9Dgqed9lutJ9n3vQysppaijUo9oEQ14pxeU+TKK6/JBcjD/sN4=
=YcwV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org