On 10/04/2024 21:15, Christopher Schultz wrote:
All,
On 4/10/24 4:00 AM, Mark Thomas wrote:
On 09/04/2024 17:17, prat 007 wrote:
Hi All,
I would like to know is there a way to find tomcat's server.built and
server.number remotely using tool loke curl or from browser?
In a default installation, no.
You'd have to write a servlet that reported that information and then
request that page.
... and it might represent an information leakage vulnerability in your
application. Be Careful.
Shall we start the flame war now on whether exposing the current version
you are running represents a valid vulnerability or if hiding it is
just security by obscurity? Or do you want to save it for Bratislava?
:)
More seriously, your time is likely to be better spent (in my view)
keeping your Tomcat installations up to date with the latest releases
than it is ensuring that you hide the version number.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org