It may also be useful to know if you get this same "exception-message"
header when you get a 404 from the Railo servlet (from a request for a
.cfm file).
It may help determine if Railo is involved or not.
Warm Regards,
Jordan Michaels
On 01/10/2014 04:02 PM, Caldarale, Charles R wrote:
From: August Kleimo [mailto:aug...@kleimo.com]
Subject: "exception-message" header reveals path to document root in 404
response.
I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
is revealing the path to the document web root in an "exception-message"
header when a missing page is requested.
If you were really worried about security, you wouldn't be running a version of
Tomcat that's 2.5 years old. Seriously, upgrade.
Does anyone know of way to get rid of this header from the response?
Use your own custom error page.
Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header
is coming from Tomcat.
Nope. Here's Tomcat's standard 404 response:
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1027
Date: Fri, 10 Jan 2014 23:59:34 GMT
Most likely Railo is using a "friendly" error page.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
