RE: tomcat Finding!

2018-12-26 Thread Berneburg, Cris J. - US 
Hi Danyaal

dh> I'm encountering following scan finding errors
dh> and couldn't find way to mitigate this.

dh> Tomcat 8.5.32
dh> 12085
dh> Apache Tomcat Default Files
dh> The following default files were found
dh> :/nessus-check/default-404-error-page.html
dh> Delete the default index page and remove the
dh> example JSP and servlets. Follow the Tomcat
dh> or OWASP instructions to replace or modify
dh> the default error page.

We recently encountered this problem in our server scans and were able to 
mitigate the issue.

If you have not already read it, here's a Tenable forum thread about the topic. 
 While it does not provide a complete solution, it starts to explain the issue.

We started by removing the apps that came bundled in Tomcat webapps.  We 
deleted the docs, examples, and ROOT folders.

Also, we removed the  404 block from our application web.xml and 
added one to the Tomcat conf/web.xml.  Something like:


404
/NotFound.jsp


--
Cris Berneburg
CACI Lead Software Engineer
but Tomcat newbie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Re: tomcat Finding!

2018-12-19 Thread Peter@Kreuser-Online 
Danyaal,


> Am 18.12.2018 um 21:15 schrieb  
> :
> 
> Added following to the Server.xml, still showing in the latest scan.
> 
>  showReport=false" showServerInfo="false" />
> 
> Thank you,
> Danyaal 
> 
> -Original Message-
> From: John Palmer [mailto:johnpalm...@gmail.com] 
> Sent: Friday, December 14, 2018 6:26 PM
> To: Tomcat Users List
> Subject: [EXTERNAL] Re: tomcat Finding!
> 
> WARNING:This is an external email that originated outside of our email 
> system. DO NOT CLICK links or open attachments unless you recognize the 
> sender and know that the content is safe!
> 
> I found this to be easier to accomplish (and maintain):
> 
> add to the Host section of server.xml:
>  showReport=false" showServerInfo="false" />
> 
> (this will disable the tomcat version number and the stacktrace  - the
> defaults for these are "true")
> 
> 
>> On Fri, Dec 14, 2018 at 10:18 AM  wrote:
>> 
>> Good Morning,
>> I'm encountering following scan finding errors and couldn't find way to
>> mitigate this.
>> 
>> Tomcat 8.5.32
>> 12085
>> Apache Tomcat Default Files
>> The following default files were found
>> :/nessus-check/default-404-error-page.html
>> Delete the default index page and remove the example JSP and servlets.

did you also remove the default files under webapps (examples, Root,...)?
This finding is not only for errorpages with version number!

Peter 

>> Follow the Tomcat or OWASP instructions to replace or modify the default
>> error page.
>> 
>> Thank you,
>> Danyaal
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> B‹CB•È[œÝXœØÜšX™KK[XZ[ˆ\Ù\œË][œÝXœØÜšX™PÛXØ]
> ˜\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[ˆ\Ù\œËZ[ÛXØ]˜\XÚK›Ü™ÃBƒ


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Re: tomcat Finding!

2018-12-18 Thread Maxim Solodovnik 
You have to add Valve under Server/Service/Engine/Host/
Works for us as expected

On Wed, 19 Dec 2018 at 03:17,  wrote:

> Added following to the Server.xml, still showing in the latest scan.
>
>  showReport=false" showServerInfo="false" />
>
> Thank you,
> Danyaal
>
> -Original Message-
> From: John Palmer [mailto:johnpalm...@gmail.com]
> Sent: Friday, December 14, 2018 6:26 PM
> To: Tomcat Users List
> Subject: [EXTERNAL] Re: tomcat Finding!
>
>  WARNING:This is an external email that originated outside of our email
> system. DO NOT CLICK links or open attachments unless you recognize the
> sender and know that the content is safe!
>
> I found this to be easier to accomplish (and maintain):
>
> add to the Host section of server.xml:
>  showReport=false" showServerInfo="false" />
>
> (this will disable the tomcat version number and the stacktrace  - the
> defaults for these are "true")
>
>
> On Fri, Dec 14, 2018 at 10:18 AM  wrote:
>
> > Good Morning,
> > I'm encountering following scan finding errors and couldn't find way to
> > mitigate this.
> >
> > Tomcat 8.5.32
> > 12085
> > Apache Tomcat Default Files
> > The following default files were found
> > :/nessus-check/default-404-error-page.html
> > Delete the default index page and remove the example JSP and servlets.
> > Follow the Tomcat or OWASP instructions to replace or modify the default
> > error page.
> >
> > Thank you,
> > Danyaal
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>


-- 
WBR
Maxim aka solomax

RE: [EXTERNAL] Re: tomcat Finding!

2018-12-18 Thread DANYAAL.HANIF 
Added following to the Server.xml, still showing in the latest scan.



Thank you,
Danyaal 

-Original Message-
From: John Palmer [mailto:johnpalm...@gmail.com] 
Sent: Friday, December 14, 2018 6:26 PM
To: Tomcat Users List
Subject: [EXTERNAL] Re: tomcat Finding!

 WARNING:This is an external email that originated outside of our email system. 
DO NOT CLICK links or open attachments unless you recognize the sender and know 
that the content is safe!

I found this to be easier to accomplish (and maintain):

add to the Host section of server.xml:


(this will disable the tomcat version number and the stacktrace  - the
defaults for these are "true")


On Fri, Dec 14, 2018 at 10:18 AM  wrote:

> Good Morning,
> I'm encountering following scan finding errors and couldn't find way to
> mitigate this.
>
> Tomcat 8.5.32
> 12085
> Apache Tomcat Default Files
> The following default files were found
> :/nessus-check/default-404-error-page.html
> Delete the default index page and remove the example JSP and servlets.
> Follow the Tomcat or OWASP instructions to replace or modify the default
> error page.
>
> Thank you,
> Danyaal
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat Finding!

2018-12-14 Thread John Palmer 
I found this to be easier to accomplish (and maintain):

add to the Host section of server.xml:


(this will disable the tomcat version number and the stacktrace  - the
defaults for these are "true")


On Fri, Dec 14, 2018 at 10:18 AM  wrote:

> Good Morning,
> I'm encountering following scan finding errors and couldn't find way to
> mitigate this.
>
> Tomcat 8.5.32
> 12085
> Apache Tomcat Default Files
> The following default files were found
> :/nessus-check/default-404-error-page.html
> Delete the default index page and remove the example JSP and servlets.
> Follow the Tomcat or OWASP instructions to replace or modify the default
> error page.
>
> Thank you,
> Danyaal
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: tomcat Finding!

2018-12-14 Thread DANYAAL.HANIF 
Good Morning,
I'm encountering following scan finding errors and couldn't find way to 
mitigate this.

Tomcat 8.5.32
12085
Apache Tomcat Default Files
The following default files were found 
:/nessus-check/default-404-error-page.html
Delete the default index page and remove the example JSP and servlets. Follow 
the Tomcat or OWASP instructions to replace or modify the default error page.

Thank you,
Danyaal

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org