Re: "exception-message" header reveals path to document root in 404 response.

[Jordan Michaels]

Although I suppose it's possible, I don't think it has to do with Railo. 
The Railo servlet doesn't handle requests for .html files... those are 
handled by Tomcat's default servlet.

Here are the default (suggested) handlers for a Railo install:
    <servlet-mapping>
        <servlet-name>CFMLServlet</servlet-name>
        <url-pattern>*.cfm</url-pattern>
        <url-pattern>*.cfml</url-pattern>
        <url-pattern>*.cfc</url-pattern>
        <!-- Basic SES Mappings -->
        <url-pattern>/index.cfc/*</url-pattern>
        <url-pattern>/index.cfm/*</url-pattern>
        <url-pattern>/index.cfml/*</url-pattern>
    </servlet-mapping>

    <!-- Mapping for Flex Gateway Servlet -->
    <servlet-mapping>
        <servlet-name>MessageBrokerServlet</servlet-name>
        <url-pattern>/flex2gateway/*</url-pattern>
        <url-pattern>/flashservices/gateway/*</url-pattern>
        <url-pattern>/messagebroker/*</url-pattern>
    </servlet-mapping>

    <!-- mapping for Railo's REST servlet -->
    <servlet-mapping>
        <servlet-name>RestServlet</servlet-name>
        <url-pattern>/rest/*</url-pattern>
    </servlet-mapping>

August, can you describe you're install a bit more? How did you install 
Railo? Did you start with a Vanilla Tomcat install and install a Railo 
war? Have you customized your install at all or added any custom configs?

Warm Regards,
Jordan Michaels

On 01/10/2014 04:02 PM, Caldarale, Charles R wrote:
From: August Kleimo [mailto:aug...@kleimo.com]
Subject: "exception-message" header reveals path to document root in 404 
response.

I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
is revealing the path to the document web root in an "exception-message"
header when a missing page is requested.

If you were really worried about security, you wouldn't be running a version of 
Tomcat that's 2.5 years old.  Seriously, upgrade.

Does anyone know of way to get rid of this header from the response?

Use your own custom error page.

Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header
is coming from Tomcat.

Nope.  Here's Tomcat's standard 404 response:

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1027
Date: Fri, 10 Jan 2014 23:59:34 GMT

Most likely Railo is using a "friendly" error page.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org