You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/06/18 20:19:50 UTC
[Bug 62472] New: Tenable (Nessus) Security Scanner reports a 404
page vulnerability when no ROOT web application is deployed in Tomcat 9.0.5
and later
https://bz.apache.org/bugzilla/show_bug.cgi?id=62472
Bug ID: 62472
Summary: Tenable (Nessus) Security Scanner reports a 404 page
vulnerability when no ROOT web application is deployed
in Tomcat 9.0.5 and later
Product: Tomcat 9
Version: 9.0.5
Hardware: All
OS: All
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: dtgjyhdty@yahoo.com
Target Milestone: -----
The vulnerability is Tomcat version disclosure via the 404 error page, see
https://www.tenable.com/plugins/nessus/12085 for details.
Steps to reproduce:
1. Delete everything from the webapps directory.
2. Start Tomcat.
3. Go to http://localhost:8080/test
Tomcat 9.0.4 and all earlier versions show a blank page, which is good because
there's no Tomcat version disclosure. Tomcat 9.0.5 and later show the standard
"HTTP Status 404 – Not Found" page, which contains the Tomcat version number.
If I have a web application deployed in ROOT, it's not a problem, because I can
create a custom 404 error page that doesn't include the Tomcat version number.
But if I don't have ROOT, it becomes impossible without creating a dummy web
application in ROOT that overrides the 404 error page, or modifying
conf/web.xml, which is not always possible or desirable.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62472] Tenable (Nessus) Security Scanner reports a 404 page
vulnerability when no ROOT web application is deployed in Tomcat 9.0.5 and
later
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62472
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
Changes were made so that Tomcat reports error pages in most cases. The new
behavior in this specific case is a side effect of this change but is not a
regression.
If you would like to discuss how to further update your configuration, please
use the tomcat user mailing list instead.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62472] Tenable (Nessus) Security Scanner reports a 404 page
vulnerability when no ROOT web application is deployed in Tomcat 9.0.5 and
later
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62472
--- Comment #2 from Michael Osipov <19...@gmx.net> ---
Security by obscurity never worked out.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62472] Tenable (Nessus) Security Scanner reports a 404 page
vulnerability when no ROOT web application is deployed in Tomcat 9.0.5 and
later
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62472
--- Comment #3 from George Stanchev <st...@hotmail.com> ---
I don't mean to start a discussion that belongs on the user's list, but even
though "security through obscurity" is not a solution however it does help to
mitigate against attacks. There is a reason you don't know a lot about avionic
computers on passengers airliners and you can't find that information easily
for example. Carpet statements like this meant to demean people with valid
security concerns are not very helpful.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org