Folks, On 8/24/2021 3:55 PM, Christopher Schultz wrote:
James,On 8/24/21 17:20, James H. H. Lampert wrote:I could have sworn I asked about this over a year ago, but I can't find any record of having done so.We've got a low-priority complaint about a security scan looking for "test.jsp" on one of our installations, expecting a 404 response, and instead getting a 200 response and a redirect to our own error page.Just a sanity check: this *is* a problem with our ROOT context, not with Tomcat itself, right? And it has to be solved within our ROOT context, right?My guess is that the vuln scanner assumes that "GET test.jsp" returning a 200 response means "it's got something bad in there". They are probably thinking about a *specific* test.jsp file, but you just happen to have one, probably as part of your application.If you haven't deployed any of Tomcat's "example", "docs", or ROOT applications (meaning, the ROOT webapp that hosts Tomcat's documentation and stuff), then yes, this complaint is being aimed at your application.You should probably be able to find test.jsp on your disk, or in your WAR file if for some reason you aren't exploding WAR files on deployment.Go read the source for that file and maybe it will give you some insight as to where it came from.-chris
If I understand correctly, the security scanning looks for something like this:
/appname/../test.jspHow that triggers a 200, then generates an application error page I'm not certain.
In your application, do you have an <error-page> specified for 404 errors?In your ROOT application (if different from your regular application) do you have an <error-page> specified?
What my $work environment has are application-specific error pages per application, and a generic error page for the ROOT application, which is just a placeholder.
Going to /appname/../test.jsp in my $work environment ends up at ROOT, which generates a 404 and the generic error page since there is no test.jsp page.
My $work environment has front end Apache HTTPD servers connected to multiple Tomcats via mod_jk. This may influence the results.
Security scans by various clients of $work have not complained about the above setup.
. . . just my two cents /mde/
OpenPGP_signature
Description: OpenPGP digital signature
