Hi Mark, I agree with you that the complaint about version number is rather a minor one, however, I've had the same situation as one of our projects had to pass through a PCI Compliance test, and this is what they really test for.
regards Leon On Wed, May 2, 2018 at 9:42 PM, Mark Thomas <ma...@apache.org> wrote: > On 02/05/18 20:27, Berneburg, Cris J. - US wrote: > > We are getting dinged by a vulnerability scan for the default not-found > error page being returned by Tomcat for a Status 404. > > > > On my dev server when requesting an invalid URL, Tomcat returns a Status > 404 page that displays the Tomcat version. Right, I need to do something > about that. > > > > However, I can't find where the error-page for 404 is defined. It's not > defined in: > > - webapps/ROOT/WEB-INF/web.xml > > - conf/web.xml > > - conf/server.xml > > - conf/context.xml > > > > Also, I can't find a notFound or error page either. > > > > How do I get rid of or override the default error / 404 / not-found page > if I can't find it or where it is currently defined? Also, how is Tomcat > returning the default 404 error page if it does not exist? I hope it's not > hardcoded in a servlet response. > > > > FYI, we're going to remove the ROOT, docs, and examples folders to > mitigate other scan findings. > > > > And we're using Tomcat 6.0.37 (ahem). > > And you are worried about returning the version number? Have you seen > how many real security issues (as opposed to this version number > non-issue) there are in 6.0.37? I can't help but think your priorities > are all wrong. > > Hiding the version info is trivial > Create the following directory structure: > $CATALINA_HOME/lib/org/apache/catalina/util > > Download this file: > https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/ > java/org/apache/catalina/util/ServerInfo.properties? > revision=1803960&view=co > > Place it in that directory and modify the three properties to whatever > value you like. > > Restart Tomcat. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >