Back to Blog
Apache tomcat default files7/8/2023 ![]() ![]() Is there any way to disable/modify the tomcat error page?Īs a mitigation, we put sonarqube behind an apache service so we can control the error show for non-existent paths, but this doesn’t necessarily solve the core complaint of the vulnerability scanner. The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). Jasper parses JSP files to compile them into Java code as servlets (that can be handled by Catalina). It appears that tomcat might be embedded, so i don’t see any applicable conf files where we could change this behavior. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. ![]() ), we receive the default apache error page, which includes tomcat version information. The default error page, default index page, example JSPs and/or example servlets are installed on the remote Apache Tomcat server. However, when accessing a page outside of the sonarqube context (e.g. ), we received a custom error page (this is the desired functionality). When testing a non-existent path under the sonarqube context (e.g. When scanning our server being used for SonarQube, we are showing a finding for Tomcat default files being present. Bypass URL to get Apache Tomcat default pages/files (Information Disclosure). We use Nessus to assess servers for vulnerabilities in our environment. ![]()
0 Comments
Read More
Leave a Reply. |