Re: Vulnerability on Apache Tomcat Default Files
hello chris, they only mention on port 8080 and no other info. I will try that telnet command and see. On Thu, 6 Aug 2020 at 23:20, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > Fang, > > On 8/5/20 22:16, FANG YAP wrote: > > Did that as well, but the scanner still flagged but it is to say is > > a false positive result in their scan? > Well, they are complaining that Tomcat is revealing its version number > (right?). That's not a false-positive. It's just ... I guess being > picky. I get it: it's best not to reveal anything. > > But if their scanner is still finding it, you aren't done yet. > > Can they tell you what request causes this "failure" to occur? Maybe > you fixed 404s but not 400s? > > Try making a request like this: > > $ telnet localhost 8080 > GET /foo HTML/4.0 > [newline] > [newline] > > See what comes back. That should come back as a 400 Bad Request and it > might include Tomcat's version information, etc. > > - -chris > > > On Wed, 5 Aug 2020, 04:21 Christopher Schultz, > > > wrote: > > > > Fang, > > > > On 8/3/20 23:10, FANG YAP wrote: > >>>> I have an issue on the subject mentioned as the vulnerability > >>>> scan flagged out. > >>>> > >>>> Plugin: 12085 Plugin Text: Apache Tomcat Default Files > >>>> Protocol: TCP Port: 8080 > >>>> > >>>> Apache Tomcat 8.5.55 (x64-bit machines) > >>>> > >>>> In my app folder (located in the webapp folder) I already had > >>>> the necessary error pages. Also indicated the error jsp file > >>>> in the app's web.xml. How to know what should be shown when > >>>> they(user) enter the wrong site for tomcat? > >>>> > >>>> Should it be showing this page below or it should show my > >>>> custom error page set in app's web.xml? HTTP 404 No Found The > >>>> webpage cannot be found.. Most likely causes:... - There > >>>> might be a typing error in the address - If you clicked on a > >>>> link, it may be out of date > >>>> > >>>> What you can try: . > > > > This doesn't look like a vuln to me. Your scanner is being > > overzealous. > > > > But if you want to replace the 404 Not Found page when you request > > /noapp and your application is deployed to /myapp then you can't > > fix the problem in "myapp". You have to make other arrangements. > > > > The easiest thing to do is deploy a ROOT application with all > > errors (including 404) pointing to a custom error page. You can do > > this in your ROOT application's WEB-INF/web.xml file. > > > > -chris > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sH7QACgkQHPApP6U8 > pFjvkBAAgYz1A1h3Doge7eQXBX04+fOnmg70Dpyj4wCZn5KYyGVD15AYTmNBMgD9 > VUOfOQ0TpMnoz+A4KiTovfh9sZL0zk+3iXbzwOLv3WD6XvkAM7KvX9YClASMHZeE > juk/jfcD7J5Af1y+vSkxB8CtrMba2SkouMkRmxwxF9aZzjbHpGFilZ/fNwzSxS5p > npoLpl789kwcopyQy5V21fMgUaCvEtWPcnvZ6T6O59NhRHNAWFFQw00yZS0SUd34 > jg7UuojpTn5a+tZXwpPYk93vXoEEkuwla4zoD9zgqMBIqZUL4NXDcdGpUNFvRSke > k8ZS4FMfoahX8RCLD5Sacybtn2qgV5h53ADUY2SXC2mP6lETnhcx7TF/b6Wf4bnK > fPyDCpQw+BN36KWibjLjvMXd7z+SvG7LlBngpn6DthQQWorTomXxRHSvPYXO7W1S > ALVc43cFe0Zv6+RdzJIQd5SKc861+jPNJwWfECfQ8yM4uiXXLj86BtBjETVDnbpx > zOLbnTHBzSCHZNK+HfZmIbTbq8Jj/StQNdnoOc4CDCBOU77U3YOHeVWmN5FCwN5L > gz++VTYAHvWZ9I6ZB5/5+7DRC4ug219uQr6IUO+POsxlFbLu8mV85vJqZ6AWX8vz > Dzch6xmPycXeZFADDgreycFNY9KY+rK/f2i/U3uhaUFw8t+8A2M= > =Ux+M > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Vulnerability on Apache Tomcat Default Files
Hi Chris, Did that as well, but the scanner still flagged but it is to say is a false positive result in their scan? Regards with Thanks, Fang On Wed, 5 Aug 2020, 04:21 Christopher Schultz, wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Fang, > > On 8/3/20 23:10, FANG YAP wrote: > > I have an issue on the subject mentioned as the vulnerability scan > > flagged out. > > > > Plugin: 12085 Plugin Text: Apache Tomcat Default Files Protocol: > > TCP Port: 8080 > > > > Apache Tomcat 8.5.55 (x64-bit machines) > > > > In my app folder (located in the webapp folder) I already had the > > necessary error pages. Also indicated the error jsp file in the > > app's web.xml. How to know what should be shown when they(user) > > enter the wrong site for tomcat? > > > > Should it be showing this page below or it should show my custom > > error page set in app's web.xml? HTTP 404 No Found The webpage > > cannot be found.. Most likely causes:... - There might be a typing > > error in the address - If you clicked on a link, it may be out of > > date > > > > What you can try: . > > This doesn't look like a vuln to me. Your scanner is being overzealous. > > But if you want to replace the 404 Not Found page when you request > /noapp and your application is deployed to /myapp then you can't fix > the problem in "myapp". You have to make other arrangements. > > The easiest thing to do is deploy a ROOT application with all errors > (including 404) pointing to a custom error page. You can do this in > your ROOT application's WEB-INF/web.xml file. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8pwxQACgkQHPApP6U8 > pFieCA//T/Vr3DXF0AFJGPwo++x81iwy80VOSfRL6v0NNOxlKkBa7dPaUJuKYr+F > GzXaYf/FBH50dAVIfjkTtJQGvfCeEz9aqsYMCPpyzeFjtzU0FqUOrAmHJEzuBAYQ > 85Vy5MOsncDb/QhW9wMi0Vt5ffc3p4ZavF8fU1D4zJk5ecDXZtz45H4MlOp06KH0 > sUJX2wLPtWUuBLt9AvgxgXwqAmq1XJBulLAUcR8gUVkhmxB8KS/peR/eKcf11Nlk > FalhVIgHK2BkXouvaXMawbix6qt7+sd+AfmcW4dXcoiDLkuMz0MAx/FBxXP4nELF > +P5egFRE+wdTXLRr436ydhjGxhSw9nS9LiSpgSWLWBMw29/oSo+jhVQtuuVH133m > 9IWWYgneWGvXEo02MmmMbt1pZ0KVPeWVhjTDpo48xfutbRCAZCK1xwtUzz96wy2E > PRpEscyjQQzEJ11Rglu3gi/bq/YIKZLZd4n5qH2c0Z11mff2KXD5sDbZsEKRGCDR > i8EEPMss5RaRF7JyqjDU+r1FvbLDMSxOb3YeX/MvuKTPvqHuSkvNLMeKIKHxOZfC > hwLWYY9Cu9ARUj3LYpaDj8DGFf4Jotn4LREOhhlaC4XZZQ2yPIOaimvQKtOjmdqF > E9Dgqed9lutJ9n3vQysppaijUo9oEQ14pxeU+TKK6/JBcjD/sN4= > =YcwV > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Vulnerability on Apache Tomcat Default Files
Hello Apache Tomcat, I have an issue on the subject mentioned as the vulnerability scan flagged out. Plugin: 12085 Plugin Text: Apache Tomcat Default Files Protocol: TCP Port: 8080 Apache Tomcat 8.5.55 (x64-bit machines) In my app folder (located in the webapp folder) I already had the necessary error pages. Also indicated the error jsp file in the app's web.xml. How to know what should be shown when they(user) enter the wrong site for tomcat? Should it be showing this page below or it should show my custom error page set in app's web.xml? HTTP 404 No Found The webpage cannot be found.. Most likely causes:... - There might be a typing error in the address - If you clicked on a link, it may be out of date What you can try: . Rgs, Fang
How to encrypt db password in tomcat context.xml
Hi Tomcat, I would like to know how to encrypt and decrypt the database password in context.xml when the application is running which also allow me to change the db password for the purpose of security. Database driver is Oracle JDK: 1.8.0_251 Tomcat Version: 8.5.55 Appreciate ya help. Rgs, FanggDev.
Re: Vulnerability flagged in Nessus Scan
Hello Martin and John, Any update on this? Regards with Thanks, Fang On Thu, 4 Jun 2020, 09:48 FANG YAP, wrote: > Hi Martin, > > Thank you for your email. > > In my application's web.xml, there is already a default > error-code that defines 404 (../error_404.jsp), 403 (../error_403.jsp), 500 > (../error_500.jsp) and java.lang.Throwable (.. /system Error.jsp) > > where as the tomcat web.xml defines the previous error page on exception. > > Do I have to declare the same error code in the application's web.xml in > the tomcat web.xml? > > Hi John, > > Thank you for your reply. > > In the tomcat server.xml, there is already a Valve tag like className="org.apache.catalina.AccessLogValve" pattern=... /> under name="local"... > > > For your resolution is to include another valve tag below the access log > valve? > > Regards with Thanks, > > Fang > > On Thu, 4 Jun 2020, 06:03 John Palmer, wrote: > >> As the concern is that an erro page will show the tomcat version/patch >> info >> AND a stacktrace,\ >> I found the easier/better? solution to be adding . showReport="false" >> showServerInfo="false" >> to the Error Report Valve section at the bottom of server.xml (and addin >> or >> or uncommenting that valve section...): >> >> > showReport="false" showServerInfo="false" /> >> >> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov >> wrote: >> >> > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP wrote: >> > >> > > Hello Martin, >> > > >> > > It is to say that I have to declare something like this in web.xml >> file? >> > > >> > > >> > > java.lang.Exception >> > > /error.jsp >> > > >> > >> > Better use the error-code ones from the StackOverflow link I gave you. >> > Your approach will cover only error code 500 (for Exceptions, but not >> for >> > java.lang.Error) and won't cover NotFound (404) and the others. >> > I guess Nessus won't be totally happy with your approach. >> > >> > >> > > >> > > Regards with Thanks, >> > > >> > > Fang >> > > >> > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, >> wrote: >> > > >> > > > Hi, >> > > > >> > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP wrote: >> > > > >> > > > > Resend >> > > > > >> > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, wrote: >> > > > > >> > > > > > Hi Tomcat, >> > > > > > >> > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080 >> > > > > > >> > > > > > Port: 8080 >> > > > > > Plugin Text: >> > > > > > The server is not configured to return a custom page in the >> event >> > of >> > > a >> > > > > > client requesting a non-existent resource. This may result in a >> > > > potential >> > > > > > disclosure of sensitive information about the server to >> attacker. >> > > > > > >> > > > > > Apache Tomcat Version: 8.5.43 >> > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest >> > > 1.8.0_251) >> > > > > >> > > > >> > > > To configure custom error pages and thus to suppress this issue you >> > can: >> > > > 1) use ErrorReportValve >> > > > < >> > > > >> > > >> > >> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve >> > > > > >> > > > >> > > > 2) configure error-page elements in your application web.xml - >> > > > https://stackoverflow.com/a/7066536/497381 >> > > > >> > > > >> > > > > > >> > > > > > Your assistance would be greatly appreciated >> > > > > > >> > > > > > Rgs, >> > > > > > Fang >> > > > > > >> > > > > >> > > > >> > > >> > >> >
Re: Vulnerability flagged in Nessus Scan
Hi Martin, Thank you for your email. In my application's web.xml, there is already a default error-code that defines 404 (../error_404.jsp), 403 (../error_403.jsp), 500 (../error_500.jsp) and java.lang.Throwable (.. /system Error.jsp) where as the tomcat web.xml defines the previous error page on exception. Do I have to declare the same error code in the application's web.xml in the tomcat web.xml? Hi John, Thank you for your reply. In the tomcat server.xml, there is already a Valve tag like under For your resolution is to include another valve tag below the access log valve? Regards with Thanks, Fang On Thu, 4 Jun 2020, 06:03 John Palmer, wrote: > As the concern is that an erro page will show the tomcat version/patch info > AND a stacktrace,\ > I found the easier/better? solution to be adding . showReport="false" > showServerInfo="false" > to the Error Report Valve section at the bottom of server.xml (and addin or > or uncommenting that valve section...): > > showReport="false" showServerInfo="false" /> > > On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov > wrote: > > > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP wrote: > > > > > Hello Martin, > > > > > > It is to say that I have to declare something like this in web.xml > file? > > > > > > > > > java.lang.Exception > > > /error.jsp > > > > > > > Better use the error-code ones from the StackOverflow link I gave you. > > Your approach will cover only error code 500 (for Exceptions, but not for > > java.lang.Error) and won't cover NotFound (404) and the others. > > I guess Nessus won't be totally happy with your approach. > > > > > > > > > > Regards with Thanks, > > > > > > Fang > > > > > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, > wrote: > > > > > > > Hi, > > > > > > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP wrote: > > > > > > > > > Resend > > > > > > > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, wrote: > > > > > > > > > > > Hi Tomcat, > > > > > > > > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080 > > > > > > > > > > > > Port: 8080 > > > > > > Plugin Text: > > > > > > The server is not configured to return a custom page in the event > > of > > > a > > > > > > client requesting a non-existent resource. This may result in a > > > > potential > > > > > > disclosure of sensitive information about the server to attacker. > > > > > > > > > > > > Apache Tomcat Version: 8.5.43 > > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest > > > 1.8.0_251) > > > > > > > > > > > > > To configure custom error pages and thus to suppress this issue you > > can: > > > > 1) use ErrorReportValve > > > > < > > > > > > > > > > https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve > > > > > > > > > > > > > 2) configure error-page elements in your application web.xml - > > > > https://stackoverflow.com/a/7066536/497381 > > > > > > > > > > > > > > > > > > > > Your assistance would be greatly appreciated > > > > > > > > > > > > Rgs, > > > > > > Fang > > > > > > > > > > > > > > > > > > > > >
Re: Vulnerability flagged in Nessus Scan
Hello Martin, It is to say that I have to declare something like this in web.xml file? java.lang.Exception /error.jsp Regards with Thanks, Fang On Wed, 3 Jun 2020, 15:56 Martin Grigorov, wrote: > Hi, > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP wrote: > > > Resend > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, wrote: > > > > > Hi Tomcat, > > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080 > > > > > > Port: 8080 > > > Plugin Text: > > > The server is not configured to return a custom page in the event of a > > > client requesting a non-existent resource. This may result in a > potential > > > disclosure of sensitive information about the server to attacker. > > > > > > Apache Tomcat Version: 8.5.43 > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251) > > > > To configure custom error pages and thus to suppress this issue you can: > 1) use ErrorReportValve > < > https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve > > > > 2) configure error-page elements in your application web.xml - > https://stackoverflow.com/a/7066536/497381 > > > > > > > > Your assistance would be greatly appreciated > > > > > > Rgs, > > > Fang > > > > > >
Re: Vulnerability flagged in Nessus Scan
Resend On Wed, 3 Jun 2020, 10:10 FANG YAP, wrote: > Hi Tomcat, > > Nessus scanned and found issue in Apache Tomcat Port 8080 > > Port: 8080 > Plugin Text: > The server is not configured to return a custom page in the event of a > client requesting a non-existent resource. This may result in a potential > disclosure of sensitive information about the server to attacker. > > Apache Tomcat Version: 8.5.43 > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251) > > Your assistance would be greatly appreciated > > Rgs, > Fang >
