On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> We are getting dinged by a vulnerability scan for the default not-found error 
> page being returned by Tomcat for a Status 404.
> 
> On my dev server when requesting an invalid URL, Tomcat returns a Status 404 
> page that displays the Tomcat version.  Right, I need to do something about 
> that.
> 
> However, I can't find where the error-page for 404 is defined.  It's not 
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
> 
> Also, I can't find a notFound or error page either.
> 
> How do I get rid of or override the default error / 404 / not-found page if I 
> can't find it or where it is currently defined?  Also, how is Tomcat 
> returning the default 404 error page if it does not exist?  I hope it's not 
> hardcoded in a servlet response.
> 
> FYI, we're going to remove the ROOT, docs, and examples folders to mitigate 
> other scan findings.
> 
> And we're using Tomcat 6.0.37 (ahem).

And you are worried about returning the version number? Have you seen
how many real security issues (as opposed to this version number
non-issue) there are in 6.0.37? I can't help but think your priorities
are all wrong.

Hiding the version info is trivial
Create the following directory structure:
$CATALINA_HOME/lib/org/apache/catalina/util

Download this file:
https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/java/org/apache/catalina/util/ServerInfo.properties?revision=1803960&view=co

Place it in that directory and modify the three properties to whatever
value you like.

Restart Tomcat.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to