You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Berneburg, Cris J. - US" <cb...@caci.com> on 2018/05/02 19:27:52 UTC
tomcat 6 vulnerability scan default error page help
We are getting dinged by a vulnerability scan for the default not-found error page being returned by Tomcat for a Status 404.
On my dev server when requesting an invalid URL, Tomcat returns a Status 404 page that displays the Tomcat version. Right, I need to do something about that.
However, I can't find where the error-page for 404 is defined. It's not defined in:
- webapps/ROOT/WEB-INF/web.xml
- conf/web.xml
- conf/server.xml
- conf/context.xml
Also, I can't find a notFound or error page either.
How do I get rid of or override the default error / 404 / not-found page if I can't find it or where it is currently defined? Also, how is Tomcat returning the default 404 error page if it does not exist? I hope it's not hardcoded in a servlet response.
FYI, we're going to remove the ROOT, docs, and examples folders to mitigate other scan findings.
And we're using Tomcat 6.0.37 (ahem).
--
Cris Berneburg
CACI Lead Software Engineer
Re: tomcat 6 vulnerability scan default error page help
Posted by Leon Rosenberg <ro...@gmail.com>.
Hi Cris,
try to add following to your web.xml
<error-page>
<error-code>404</error-code> <!-- HTTP status code -->
<error-page>/error404.html</error-page> <!-- static page, servlet
URL or JSP -->
</error-page>
regards
Leon
On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US <cberneburg@caci.com
> wrote:
> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version. Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined. It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined? Also, how is Tomcat
> returning the default 404 error page if it does not exist? I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>
RE: tomcat 6 vulnerability scan default error page help
Posted by "Berneburg, Cris J. - US" <cb...@caci.com>.
Mark
Thanks for taking the time to help. Again, I appreciate it.
cjb> We are getting dinged by a vulnerability scan for the default
cjb> not-found error page being returned by Tomcat for a Status 404.
cjb> [...]
cjb> And we're using Tomcat 6.0.37 (ahem).
MT> And you are worried about returning the version number? Have you
MT> seen how many real security issues (as opposed to this version
MT> number non-issue) there are in 6.0.37? I can't help but think
MT> your priorities are all wrong.
While I agree that we need to upgrade Tomcat, and it is long overdue, I disagree that my priorities are *all* wrong. (tongue-in-cheek) The compliance deadline looms a bit close to allow time for staging and regression testing. (panicked)
Ironically, the scan said nothing about the Tomcat version itself:
"The remote web server contains default files. The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page."
--
Cris Berneburg
CACI Lead Software Engineer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 6 vulnerability scan default error page help
Posted by "Berneburg, Cris J. - US" <cb...@caci.com>.
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Wednesday, May 2, 2018 4:01 PM
To: users@tomcat.apache.org
Subject: Re: tomcat 6 vulnerability scan default error page help
> On 02/05/18 20:51, Leon Rosenberg wrote:
> > Hi Mark,
> >
> > I agree with you that the complaint about version number is rather a
> > minor one, however, I've had the same situation as one of our projects
> > had to pass through a PCI Compliance test, and this is what they really test for.
>
> Don't get me started on PCI compliance...
>
> Oh, and Cris - take a look at the ErrorReportValve.
> That is where the default error page is coming from.
>
> Mark
Thanks Mark, will do - once all this compliance stuff dies down.
--
Cris Berneburg
CACI Lead Software Engineer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 6 vulnerability scan default error page help
Posted by Mark Thomas <ma...@apache.org>.
On 02/05/18 20:51, Leon Rosenberg wrote:
> Hi Mark,
>
> I agree with you that the complaint about version number is rather a minor
> one, however, I've had the same situation as one of our projects had to
> pass through a PCI Compliance test, and this is what they really test for.
Don't get me started on PCI compliance...
Oh, and Cris - take a look at the ErrorReportValve. That is where the
default error page is coming from.
Mark
>
> regards
> Leon
>
> On Wed, May 2, 2018 at 9:42 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
>>> We are getting dinged by a vulnerability scan for the default not-found
>> error page being returned by Tomcat for a Status 404.
>>>
>>> On my dev server when requesting an invalid URL, Tomcat returns a Status
>> 404 page that displays the Tomcat version. Right, I need to do something
>> about that.
>>>
>>> However, I can't find where the error-page for 404 is defined. It's not
>> defined in:
>>> - webapps/ROOT/WEB-INF/web.xml
>>> - conf/web.xml
>>> - conf/server.xml
>>> - conf/context.xml
>>>
>>> Also, I can't find a notFound or error page either.
>>>
>>> How do I get rid of or override the default error / 404 / not-found page
>> if I can't find it or where it is currently defined? Also, how is Tomcat
>> returning the default 404 error page if it does not exist? I hope it's not
>> hardcoded in a servlet response.
>>>
>>> FYI, we're going to remove the ROOT, docs, and examples folders to
>> mitigate other scan findings.
>>>
>>> And we're using Tomcat 6.0.37 (ahem).
>>
>> And you are worried about returning the version number? Have you seen
>> how many real security issues (as opposed to this version number
>> non-issue) there are in 6.0.37? I can't help but think your priorities
>> are all wrong.
>>
>> Hiding the version info is trivial
>> Create the following directory structure:
>> $CATALINA_HOME/lib/org/apache/catalina/util
>>
>> Download this file:
>> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
>> java/org/apache/catalina/util/ServerInfo.properties?
>> revision=1803960&view=co
>>
>> Place it in that directory and modify the three properties to whatever
>> value you like.
>>
>> Restart Tomcat.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 6 vulnerability scan default error page help
Posted by Leon Rosenberg <ro...@gmail.com>.
Hi Mark,
I agree with you that the complaint about version number is rather a minor
one, however, I've had the same situation as one of our projects had to
pass through a PCI Compliance test, and this is what they really test for.
regards
Leon
On Wed, May 2, 2018 at 9:42 PM, Mark Thomas <ma...@apache.org> wrote:
> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> > We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
> >
> > On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version. Right, I need to do something
> about that.
> >
> > However, I can't find where the error-page for 404 is defined. It's not
> defined in:
> > - webapps/ROOT/WEB-INF/web.xml
> > - conf/web.xml
> > - conf/server.xml
> > - conf/context.xml
> >
> > Also, I can't find a notFound or error page either.
> >
> > How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined? Also, how is Tomcat
> returning the default 404 error page if it does not exist? I hope it's not
> hardcoded in a servlet response.
> >
> > FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
> >
> > And we're using Tomcat 6.0.37 (ahem).
>
> And you are worried about returning the version number? Have you seen
> how many real security issues (as opposed to this version number
> non-issue) there are in 6.0.37? I can't help but think your priorities
> are all wrong.
>
> Hiding the version info is trivial
> Create the following directory structure:
> $CATALINA_HOME/lib/org/apache/catalina/util
>
> Download this file:
> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
> java/org/apache/catalina/util/ServerInfo.properties?
> revision=1803960&view=co
>
> Place it in that directory and modify the three properties to whatever
> value you like.
>
> Restart Tomcat.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: tomcat 6 vulnerability scan default error page help
Posted by Mark Thomas <ma...@apache.org>.
On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> We are getting dinged by a vulnerability scan for the default not-found error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status 404 page that displays the Tomcat version. Right, I need to do something about that.
>
> However, I can't find where the error-page for 404 is defined. It's not defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page if I can't find it or where it is currently defined? Also, how is Tomcat returning the default 404 error page if it does not exist? I hope it's not hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
And you are worried about returning the version number? Have you seen
how many real security issues (as opposed to this version number
non-issue) there are in 6.0.37? I can't help but think your priorities
are all wrong.
Hiding the version info is trivial
Create the following directory structure:
$CATALINA_HOME/lib/org/apache/catalina/util
Download this file:
https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/java/org/apache/catalina/util/ServerInfo.properties?revision=1803960&view=co
Place it in that directory and modify the three properties to whatever
value you like.
Restart Tomcat.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 6 vulnerability scan default error page help
Posted by "Berneburg, Cris J. - US" <cb...@caci.com>.
Leon, Mark, and Alejandro
Thanks for your time and suggestions. I appreciate it.
cjb> We are getting dinged by a vulnerability scan for the default
cjb> not-found error page being returned by Tomcat for a Status 404.
cjb> [...]
cjb> However, I can't find where the error-page for 404 is defined.
cjb> [...] How do I get rid of or override the default error
cjb> / 404 / not-found page
LR> try to add following to your web.xml <error-page>
MT> $CATALINA_HOME/lib/org/apache/catalina/util
MT> Download this file: [...] ServerInfo.properties
MT> [...] modify the three properties to whatever value you like
AV> unpack catalina.jar in tomcat lib directory,
AV> then go to org\apache\catalina\util\,
AV> open ServerInfo.properties and edit it
I'm thinking of opting for the simplest and quickest possible solution, which is to add an <error-page> section to the main Tomcat conf/web.xml file but *not* supply the static page specified in the <location>.
Experimenting with that arrangement returns a 404 but no page contents, which conforms to the security finding of not returning the default 404 error page.
The least complex solution is most likely to succeed because it has the greatest chance of being deployed correctly within our tight deadline.
--
Cris Berneburg
CACI Lead Software Engineer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 6 vulnerability scan default error page help
Posted by al...@kymsolutions.com.
You need to unpack catalina.jar in tomcat lib directory,
then go to org\apache\catalina\util\,
open ServerInfo.properties and edit it
server.info=Apache Tomcat
server.number=
server.built=
You need to set to empty these variables, as shown above.
Save the file.
Pack as jar again
Put in the tomcat\lib directory again.
Hope this could help you, I'm using Tomcat 8.0.27
"Berneburg, Cris J. - US" <cb...@caci.com> escribió:
> We are getting dinged by a vulnerability scan for the default
> not-found error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a
> Status 404 page that displays the Tomcat version. Right, I need to
> do something about that.
>
> However, I can't find where the error-page for 404 is defined. It's
> not defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found
> page if I can't find it or where it is currently defined? Also, how
> is Tomcat returning the default 404 error page if it does not exist?
> I hope it's not hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org