-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Fang, On 8/5/20 22:16, FANG YAP wrote: > Did that as well, but the scanner still flagged but it is to say is > a false positive result in their scan? Well, they are complaining that Tomcat is revealing its version number (right?). That's not a false-positive. It's just ... I guess being picky. I get it: it's best not to reveal anything. But if their scanner is still finding it, you aren't done yet. Can they tell you what request causes this "failure" to occur? Maybe you fixed 404s but not 400s? Try making a request like this: $ telnet localhost 8080 GET /foo HTML/4.0 [newline] [newline] See what comes back. That should come back as a 400 Bad Request and it might include Tomcat's version information, etc. - -chris > On Wed, 5 Aug 2020, 04:21 Christopher Schultz, <ch...@christopherschultz.net> > wrote: > > Fang, > > On 8/3/20 23:10, FANG YAP wrote: >>>> I have an issue on the subject mentioned as the vulnerability >>>> scan flagged out. >>>> >>>> Plugin: 12085 Plugin Text: Apache Tomcat Default Files >>>> Protocol: TCP Port: 8080 >>>> >>>> Apache Tomcat 8.5.55 (x64-bit machines) >>>> >>>> In my app folder (located in the webapp folder) I already had >>>> the necessary error pages. Also indicated the error jsp file >>>> in the app's web.xml. How to know what should be shown when >>>> they(user) enter the wrong site for tomcat? >>>> >>>> Should it be showing this page below or it should show my >>>> custom error page set in app's web.xml? HTTP 404 No Found The >>>> webpage cannot be found.. Most likely causes:... - There >>>> might be a typing error in the address - If you clicked on a >>>> link, it may be out of date >>>> >>>> What you can try: ..... > > This doesn't look like a vuln to me. Your scanner is being > overzealous. > > But if you want to replace the 404 Not Found page when you request > /noapp and your application is deployed to /myapp then you can't > fix the problem in "myapp". You have to make other arrangements. > > The easiest thing to do is deploy a ROOT application with all > errors (including 404) pointing to a custom error page. You can do > this in your ROOT application's WEB-INF/web.xml file. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sH7QACgkQHPApP6U8 pFjvkBAAgYz1A1h3Doge7eQXBX04+fOnmg70Dpyj4wCZn5KYyGVD15AYTmNBMgD9 VUOfOQ0TpMnoz+A4KiTovfh9sZL0zk+3iXbzwOLv3WD6XvkAM7KvX9YClASMHZeE juk/jfcD7J5Af1y+vSkxB8CtrMba2SkouMkRmxwxF9aZzjbHpGFilZ/fNwzSxS5p npoLpl789kwcopyQy5V21fMgUaCvEtWPcnvZ6T6O59NhRHNAWFFQw00yZS0SUd34 jg7UuojpTn5a+tZXwpPYk93vXoEEkuwla4zoD9zgqMBIqZUL4NXDcdGpUNFvRSke k8ZS4FMfoahX8RCLD5Sacybtn2qgV5h53ADUY2SXC2mP6lETnhcx7TF/b6Wf4bnK fPyDCpQw+BN36KWibjLjvMXd7z+SvG7LlBngpn6DthQQWorTomXxRHSvPYXO7W1S ALVc43cFe0Zv6+RdzJIQd5SKc861+jPNJwWfECfQ8yM4uiXXLj86BtBjETVDnbpx zOLbnTHBzSCHZNK+HfZmIbTbq8Jj/StQNdnoOc4CDCBOU77U3YOHeVWmN5FCwN5L gz++VTYAHvWZ9I6ZB5/5+7DRC4ug219uQr6IUO+POsxlFbLu8mV85vJqZ6AWX8vz Dzch6xmPycXeZFADDgreycFNY9KY+rK/f2i/U3uhaUFw8t+8A2M= =Ux+M -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
