Mark, James,
On 8/24/21 20:40, Mark Eggers wrote:
Folks,
On 8/24/2021 3:55 PM, Christopher Schultz wrote:
James,
On 8/24/21 17:20, James H. H. Lampert wrote:
I could have sworn I asked about this over a year ago, but I can't
find any record of having done so.
We've got a low-priority complaint about a security scan looking for
"test.jsp" on one of our installations, expecting a 404 response, and
instead getting a 200 response and a redirect to our own error page.
Just a sanity check: this *is* a problem with our ROOT context, not
with Tomcat itself, right? And it has to be solved within our ROOT
context, right?
My guess is that the vuln scanner assumes that "GET test.jsp"
returning a 200 response means "it's got something bad in there". They
are probably thinking about a *specific* test.jsp file, but you just
happen to have one, probably as part of your application.
If you haven't deployed any of Tomcat's "example", "docs", or ROOT
applications (meaning, the ROOT webapp that hosts Tomcat's
documentation and stuff), then yes, this complaint is being aimed at
your application.
You should probably be able to find test.jsp on your disk, or in your
WAR file if for some reason you aren't exploding WAR files on deployment.
Go read the source for that file and maybe it will give you some
insight as to where it came from.
-chris
If I understand correctly, the security scanning looks for something
like this:
/appname/../test.jsp
The subject line has ... and not .., so I suspect that means "ellipsis"
and not "dot dot slash" like a path segment that looks like it's looking
for a path-traversal vuln.
How that triggers a 200, then generates an application error page I'm
not certain.
In your application, do you have an <error-page> specified for 404 errors?
+1
In your ROOT application (if different from your regular application) do
you have an <error-page> specified?
+1
What my $work environment has are application-specific error pages per
application, and a generic error page for the ROOT application, which is
just a placeholder.
Going to /appname/../test.jsp in my $work environment ends up at ROOT,
which generates a 404 and the generic error page since there is no
test.jsp page.
My $work environment has front end Apache HTTPD servers connected to
multiple Tomcats via mod_jk. This may influence the results.
+1
Security scans by various clients of $work have not complained about the
above setup.
Security scanners don't make money by telling you are already secure.
There's gotta be *something* they can find and complain about.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
