James,
On 8/24/21 17:20, James H. H. Lampert wrote:
I could have sworn I asked about this over a year ago, but I can't find
any record of having done so.
We've got a low-priority complaint about a security scan looking for
"test.jsp" on one of our installations, expecting a 404 response, and
instead getting a 200 response and a redirect to our own error page.
Just a sanity check: this *is* a problem with our ROOT context, not with
Tomcat itself, right? And it has to be solved within our ROOT context,
right?
My guess is that the vuln scanner assumes that "GET test.jsp" returning
a 200 response means "it's got something bad in there". They are
probably thinking about a *specific* test.jsp file, but you just happen
to have one, probably as part of your application.
If you haven't deployed any of Tomcat's "example", "docs", or ROOT
applications (meaning, the ROOT webapp that hosts Tomcat's documentation
and stuff), then yes, this complaint is being aimed at your application.
You should probably be able to find test.jsp on your disk, or in your
WAR file if for some reason you aren't exploding WAR files on deployment.
Go read the source for that file and maybe it will give you some insight
as to where it came from.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
