On 02/05/18 20:27, Berneburg, Cris J. - US wrote: > We are getting dinged by a vulnerability scan for the default not-found error > page being returned by Tomcat for a Status 404. > > On my dev server when requesting an invalid URL, Tomcat returns a Status 404 > page that displays the Tomcat version. Right, I need to do something about > that. > > However, I can't find where the error-page for 404 is defined. It's not > defined in: > - webapps/ROOT/WEB-INF/web.xml > - conf/web.xml > - conf/server.xml > - conf/context.xml > > Also, I can't find a notFound or error page either. > > How do I get rid of or override the default error / 404 / not-found page if I > can't find it or where it is currently defined? Also, how is Tomcat > returning the default 404 error page if it does not exist? I hope it's not > hardcoded in a servlet response. > > FYI, we're going to remove the ROOT, docs, and examples folders to mitigate > other scan findings. > > And we're using Tomcat 6.0.37 (ahem).
And you are worried about returning the version number? Have you seen how many real security issues (as opposed to this version number non-issue) there are in 6.0.37? I can't help but think your priorities are all wrong. Hiding the version info is trivial Create the following directory structure: $CATALINA_HOME/lib/org/apache/catalina/util Download this file: https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/java/org/apache/catalina/util/ServerInfo.properties?revision=1803960&view=co Place it in that directory and modify the three properties to whatever value you like. Restart Tomcat. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
