On 02/05/18 20:51, Leon Rosenberg wrote: > Hi Mark, > > I agree with you that the complaint about version number is rather a minor > one, however, I've had the same situation as one of our projects had to > pass through a PCI Compliance test, and this is what they really test for.
Don't get me started on PCI compliance... Oh, and Cris - take a look at the ErrorReportValve. That is where the default error page is coming from. Mark > > regards > Leon > > On Wed, May 2, 2018 at 9:42 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 02/05/18 20:27, Berneburg, Cris J. - US wrote: >>> We are getting dinged by a vulnerability scan for the default not-found >> error page being returned by Tomcat for a Status 404. >>> >>> On my dev server when requesting an invalid URL, Tomcat returns a Status >> 404 page that displays the Tomcat version. Right, I need to do something >> about that. >>> >>> However, I can't find where the error-page for 404 is defined. It's not >> defined in: >>> - webapps/ROOT/WEB-INF/web.xml >>> - conf/web.xml >>> - conf/server.xml >>> - conf/context.xml >>> >>> Also, I can't find a notFound or error page either. >>> >>> How do I get rid of or override the default error / 404 / not-found page >> if I can't find it or where it is currently defined? Also, how is Tomcat >> returning the default 404 error page if it does not exist? I hope it's not >> hardcoded in a servlet response. >>> >>> FYI, we're going to remove the ROOT, docs, and examples folders to >> mitigate other scan findings. >>> >>> And we're using Tomcat 6.0.37 (ahem). >> >> And you are worried about returning the version number? Have you seen >> how many real security issues (as opposed to this version number >> non-issue) there are in 6.0.37? I can't help but think your priorities >> are all wrong. >> >> Hiding the version info is trivial >> Create the following directory structure: >> $CATALINA_HOME/lib/org/apache/catalina/util >> >> Download this file: >> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/ >> java/org/apache/catalina/util/ServerInfo.properties? >> revision=1803960&view=co >> >> Place it in that directory and modify the three properties to whatever >> value you like. >> >> Restart Tomcat. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
