Re: "exception-message" header reveals path to document root in 404 response.

Fri, 10 Jan 2014 16:49:17 -0800 

Hi All,  Thanks for all your replies.  Turns out it was in fact Railo.  I
searched the Railo repo on GitHub and found a reference to that header.  I
was able to overwrite it with a blank string using this line of code.

<cfset getPageContext().getResponse().setHeader("exception-message","")>




On Fri, Jan 10, 2014 at 4:36 PM, Jordan Michaels <jor...@viviotech.net>wrote:

> It may also be useful to know if you get this same "exception-message"
> header when you get a 404 from the Railo servlet (from a request for a .cfm
> file).
>
> It may help determine if Railo is involved or not.
>
>
> Warm Regards,
> Jordan Michaels
>
> On 01/10/2014 04:02 PM, Caldarale, Charles R wrote:
>
>> From: August Kleimo [mailto:aug...@kleimo.com]
>>> Subject: "exception-message" header reveals path to document root in 404
>>> response.
>>>
>>
>>  I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
>>> is revealing the path to the document web root in an "exception-message"
>>> header when a missing page is requested.
>>>
>>
>> If you were really worried about security, you wouldn't be running a
>> version of Tomcat that's 2.5 years old.  Seriously, upgrade.
>>
>>  Does anyone know of way to get rid of this header from the response?
>>>
>>
>> Use your own custom error page.
>>
>>  Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this
>>> header
>>> is coming from Tomcat.
>>>
>>
>> Nope.  Here's Tomcat's standard 404 response:
>>
>> HTTP/1.1 404 Not Found
>> Server: Apache-Coyote/1.1
>> Content-Type: text/html;charset=utf-8
>> Content-Length: 1027
>> Date: Fri, 10 Jan 2014 23:59:34 GMT
>>
>> Most likely Railo is using a "friendly" error page.
>>
>>   - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to