Apache Tomcat Default File Vulnerability

Apache Tomcat Default File Vulnerability

I. outline

Vulnerability Description: Default error page, default index page, sample JSP and/or sample servlet installed on remote Apache Tomcat server. These files should be deleted because they may help an attacker discover information about remote Tomcat installation or the host itself.
Vulnerability risk:
Repair suggestion: Delete the default index page and delete the sample JSP and servlet. Replace or modify the default error page as specified by Tomcat or OWASP.

II. Solutions

1. Delete docs directory and examples directory directly.

2. Modify the default error page;
<1>.vim conf/web.xml, add the following configuration at the end of this file;

<error-page>
<error-code>400</error-code>
<location>/error.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error.html</location>
</error-page>


<2>. Custom error page
vim /root/apache-tomcat-8.5.35/webapps/ROOT/error.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Web pages are not accessible</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="404/error_all.css?t=201303212934">
</head>
<body class="error-404">
<div id="doc_main">

<section class="bd clearfix">
<div class="module-error">
<div class="error-main clearfix">
<div class="label"></div>
<div class="info">
<h3 class="title">Sorry´╝îThere is a problem with the page you visited.</h3>
<div class="reason">
<p>Possible reasons:</p >
<p>1.There is something wrong with handwriting.</p >
<p>2.URL Invalid?</p >
</div>
</div>
</div>
</div>
</section>
</div>

</body></html>

Restart tomcat.

Tags: Tomcat Apache JSP vim

Posted on Tue, 08 Oct 2019 00:12:09 -0700 by dannau