Re: exception-message header reveals path to document root in 404 response.
On 11/01/2014 00:02, Caldarale, Charles R wrote: From: August Kleimo [mailto:aug...@kleimo.com] Subject: exception-message header reveals path to document root in 404 response. I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. You have to wonder about the quality of a compliance scan that complains about the exposure of a completely standard path for web content but doesn't complain about running a server with 9 important, 2 moderate and 1 low security vulnerabilities. While a number of those vulnerabilities may not impact the server, several of the DoS vulnerabilities certainly will. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
On Fri, Jan 10, 2014 at 7:02 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Wow, when I saw this last night, I shook my head and said to myself, Server: Apache-Coyote/1.1 this may be one of the reasons why my server/web-app are subject to repeat-offender attacks from certain/few IP addresses in China/Vietnam. I never new that a 404 would expose the server name (apache coyote). I guess/assume that once they see that server name in the 404 response, some of those bots continue to try and try.
RE: exception-message header reveals path to document root in 404 response.
From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: exception-message header reveals path to document root in 404 response. Wow, when I saw this last night, I shook my head and said to myself, Server: Apache-Coyote/1.1 this may be one of the reasons why my server/web-app are subject to repeat-offender attacks from certain/few IP addresses in China/Vietnam. For the truly paranoid (to quote from the docs), look at the server attribute of the Connector element: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 August, On 1/10/14, 7:48 PM, August Kleimo wrote: Hi All, Thanks for all your replies. Turns out it was in fact Railo. I searched the Railo repo on GitHub and found a reference to that header. I was able to overwrite it with a blank string using this line of code. cfset getPageContext().getResponse().setHeader(exception-message,) There's a better option for you that will be less fragile: write a Filter that wraps your response with a HttpServletResponse which ignores all attempts to set the exception-message header. This is better than your approach because it will prevent the header from ever being set rather than going back to fix it up. It will even work in cases where the header has been set and the response has been committed to the client before your fix-up code runs. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS0VROAAoJEBzwKT+lPKRYQ5UQAJBInBzNJ7wlDrkZQXMEK0HD Wju+4Q9QDsF4HGjUcUJ0w1+mZy2QEZCZMYQpGDHS6SIPaH7HFxOpOTm/vThrl2aV HOdWPAZGGH5j+fMLFeBEmx+/wGPm3U4J68q1IE8WedexXzASXRCrfdxebg0LABee 4lmMYwRFZRoIxT0q/lf4rI+3D2mUQEbINZ0EO1BZdVD73cb/Oa7AIjPd7TM72BTZ jkvnvB/4Uj+PSGLzzNX8p85H9zzYC4pFfRCTI2LnKzC6kHP26jSRaiPRu3YeEXby 0clM1Nbw12zU023CqQgVc+C32bzF8yO0U6C3AZ6Q4/UIUiZAnUbU5eFb4J6rTsFN 8KyLplJlJCpjh/8423DhIgKB8HhBzy8X72YDX2EMw/0GA0JQ1bOXinZBlxj6Qnkh id6+8o8fAnwEZkz71pk6Q3GpgM+6lfxBHA8UZLeBzIOTjiGuI8LWkZIweIRonPxu D/OEaswqyuaqMOHvM3ysn8LogykRvQTfPDOhDMdmQ2Qjds1ouynRbVraQj2V4Zbk ovQL7W1ZSJLXYP5yACTl9UErzMIW9P+hV9wlNS9Ui5T+PjoL41e5hkpaidn64QoZ XiS8FAeRSqXHmIdZI6OPmvLJDP8D6SS/Cuzld9jPttTVNH0TR44FUAQ21DaVz7DR xDlVBoVIeSH+YF3DVE0i =TIZV -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 1/11/14, 9:01 AM, Caldarale, Charles R wrote: From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: exception-message header reveals path to document root in 404 response. Wow, when I saw this last night, I shook my head and said to myself, Server: Apache-Coyote/1.1 this may be one of the reasons why my server/web-app are subject to repeat-offender attacks from certain/few IP addresses in China/Vietnam. For the truly paranoid (to quote from the docs), look at the server attribute of the Connector element: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html Or just not worry about it because Tomcat has reported Apache-Coyote/1.1 since ... pretty much forever. That server string doesn't give any information other than the fact that you are likely running Tomcat (I think JBoss, Weblogic, etc. use that string too) and almost definitely using a Java servlet container. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS0Vi/AAoJEBzwKT+lPKRYThYP/3GkE0+1KrhoRZ7YU3ieIioD 3G9IP3dsiiqXGHMD7Jga+FpjWgm25YvFLDMvsgI1GHUF9Rfg4r+uqY96BDFbEP8u rCsnPq8XF0VWUaXR5DJSRP68RLXHWhseX4JnPPeyRxvniHf9IAqnvvkT9ZKf2Vbz EopkuXDzbOV5FW6b3Dy3inVvqSj7S1l41o/81oyZtPzg6nYBT3xwfAem1uwbHWjJ i4gx6TWJUUXDT0iWPIx8J9ilEpT08TBbQifHVKEhyyRgF0tYUScEKAqT9OU1DZcV veWzGuguQBXX5EtZpbVF1fqT0m+MaJfbJxJx0grWwFLdOUxi/nYDRR1bwXseXRYt Om0CwdUEbR9JJ2bu9s0NyzqiNTDDRQ2pVymyV2FRTntDmVAv2dCziX2lOvuwqjqU sMHxK0KYIVRJEuBA270w2sSuMxUVdmZMkLAEfM+IhHp1Up6NqYKv9CdmuyGsn0F+ koCLOn8o8iP0LSwywCCCWqO7kIgAdVkMKrDDUxKCvONMQ93Eu+pTdZo/soYRoI33 ljXPM+Y+IwWRLwYB9EtrVlV040/z/Y5HPxq8fjs7AMC1ueN9AZItlMLnWgM0+tBs 3TtBPNNnzY5jJtJvQE26l6CASI/VoPBKUeJAvk81lCWRKXUEh+oVVnx5Xhr7x9VI 8gybD4lKz8GnUvKwD+b1 =LVS7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
On Sat, Jan 11, 2014 at 9:01 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] Subject: Re: exception-message header reveals path to document root in 404 response. Wow, when I saw this last night, I shook my head and said to myself, Server: Apache-Coyote/1.1 this may be one of the reasons why my server/web-app are subject to repeat-offender attacks from certain/few IP addresses in China/Vietnam. For the truly paranoid (to quote from the docs), look at the server attribute of the Connector element: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html +1 and LOL. server Overrides the Server header for the http response. If set, the value for this attribute overrides the Tomcat default and any Server header set by a web application. If not set, any value specified by the application is used. If the application does not specify a value then Apache-Coyote/1.1 is used. Unless you are paranoid, you won't need this feature. Thanks Chuck for the response and for quoting the user guide. I have not set 'server' on the Connector and still have no need of setting the 'server' attribute. Nice to know that that is available. :)
“exception-message” header reveals path to document root in 404 response.
I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. Does anyone know of way to get rid of this header from the response? Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. $ curl -I http://mydomain.com/this-page-does-not-exist.html HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2014 23:23:22 GMT Server: Apache-Coyote/1.1 exception-message: Page /this-page-does-not-exist.html [/var/www/html/this-page-does-not-exist.html] not found Content-Type: text/html;charset=UTF-8 Content-Length: 44 Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Connection: close
Re: “exception-message” header reveals path to document root in 404 response.
On 1/10/2014 3:28 PM, August Kleimo wrote: I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. Does anyone know of way to get rid of this header from the response? Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. $ curl -I http://mydomain.com/this-page-does-not-exist.html HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2014 23:23:22 GMT Server: Apache-Coyote/1.1 exception-message: Page /this-page-does-not-exist.html [/var/www/html/this-page-does-not-exist.html] not found Content-Type: text/html;charset=UTF-8 Content-Length: 44 Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Connection: close From Tomcat 7.0.42 / APR Native on Fedora 20 with jre 1.7.0_45: curl -I http://localhost:8080/this-does-not-exist.html HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 999 Date: Fri, 10 Jan 2014 23:46:44 GMT A quick grep of the Tomcat 7 trunk code does not reveal the string 'exception-message' anywhere. I didn't see anything in the change log concerning this, either. . . . . just my (waiting for testing to be done) two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: exception-message header reveals path to document root in 404 response.
From: August Kleimo [mailto:aug...@kleimo.com] Subject: exception-message header reveals path to document root in 404 response. I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. Does anyone know of way to get rid of this header from the response? Use your own custom error page. Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. Nope. Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Most likely Railo is using a friendly error page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: “exception-message” header reveals path to document root in 404 response.
Thanks, Perhaps it's coming from Railo then. I'll investigate down that path. On Fri, Jan 10, 2014 at 3:56 PM, Mark Eggers its_toas...@yahoo.com wrote: On 1/10/2014 3:28 PM, August Kleimo wrote: I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. Does anyone know of way to get rid of this header from the response? Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. $ curl -I http://mydomain.com/this-page-does-not-exist.html HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2014 23:23:22 GMT Server: Apache-Coyote/1.1 exception-message: Page /this-page-does-not-exist.html [/var/www/html/this-page-does- not-exist.html] not found Content-Type: text/html;charset=UTF-8 Content-Length: 44 Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly Connection: close From Tomcat 7.0.42 / APR Native on Fedora 20 with jre 1.7.0_45: curl -I http://localhost:8080/this-does-not-exist.html HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 999 Date: Fri, 10 Jan 2014 23:46:44 GMT A quick grep of the Tomcat 7 trunk code does not reveal the string 'exception-message' anywhere. I didn't see anything in the change log concerning this, either. . . . . just my (waiting for testing to be done) two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
Although I suppose it's possible, I don't think it has to do with Railo. The Railo servlet doesn't handle requests for .html files... those are handled by Tomcat's default servlet. Here are the default (suggested) handlers for a Railo install: servlet-mapping servlet-nameCFMLServlet/servlet-name url-pattern*.cfm/url-pattern url-pattern*.cfml/url-pattern url-pattern*.cfc/url-pattern !-- Basic SES Mappings -- url-pattern/index.cfc/*/url-pattern url-pattern/index.cfm/*/url-pattern url-pattern/index.cfml/*/url-pattern /servlet-mapping !-- Mapping for Flex Gateway Servlet -- servlet-mapping servlet-nameMessageBrokerServlet/servlet-name url-pattern/flex2gateway/*/url-pattern url-pattern/flashservices/gateway/*/url-pattern url-pattern/messagebroker/*/url-pattern /servlet-mapping !-- mapping for Railo's REST servlet -- servlet-mapping servlet-nameRestServlet/servlet-name url-pattern/rest/*/url-pattern /servlet-mapping August, can you describe you're install a bit more? How did you install Railo? Did you start with a Vanilla Tomcat install and install a Railo war? Have you customized your install at all or added any custom configs? Warm Regards, Jordan Michaels On 01/10/2014 04:02 PM, Caldarale, Charles R wrote: From: August Kleimo [mailto:aug...@kleimo.com] Subject: exception-message header reveals path to document root in 404 response. I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. Does anyone know of way to get rid of this header from the response? Use your own custom error page. Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. Nope. Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Most likely Railo is using a friendly error page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
It may also be useful to know if you get this same exception-message header when you get a 404 from the Railo servlet (from a request for a .cfm file). It may help determine if Railo is involved or not. Warm Regards, Jordan Michaels On 01/10/2014 04:02 PM, Caldarale, Charles R wrote: From: August Kleimo [mailto:aug...@kleimo.com] Subject: exception-message header reveals path to document root in 404 response. I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. Does anyone know of way to get rid of this header from the response? Use your own custom error page. Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. Nope. Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Most likely Railo is using a friendly error page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
Hi All, Thanks for all your replies. Turns out it was in fact Railo. I searched the Railo repo on GitHub and found a reference to that header. I was able to overwrite it with a blank string using this line of code. cfset getPageContext().getResponse().setHeader(exception-message,) On Fri, Jan 10, 2014 at 4:36 PM, Jordan Michaels jor...@viviotech.netwrote: It may also be useful to know if you get this same exception-message header when you get a 404 from the Railo servlet (from a request for a .cfm file). It may help determine if Railo is involved or not. Warm Regards, Jordan Michaels On 01/10/2014 04:02 PM, Caldarale, Charles R wrote: From: August Kleimo [mailto:aug...@kleimo.com] Subject: exception-message header reveals path to document root in 404 response. I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. Does anyone know of way to get rid of this header from the response? Use your own custom error page. Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. Nope. Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Most likely Railo is using a friendly error page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exception-message header reveals path to document root in 404 response.
Thanks August, good to know. Warm Regards, Jordan Michaels On 01/10/2014 04:48 PM, August Kleimo wrote: Hi All, Thanks for all your replies. Turns out it was in fact Railo. I searched the Railo repo on GitHub and found a reference to that header. I was able to overwrite it with a blank string using this line of code. cfset getPageContext().getResponse().setHeader(exception-message,) On Fri, Jan 10, 2014 at 4:36 PM, Jordan Michaels jor...@viviotech.netwrote: It may also be useful to know if you get this same exception-message header when you get a 404 from the Railo servlet (from a request for a .cfm file). It may help determine if Railo is involved or not. Warm Regards, Jordan Michaels On 01/10/2014 04:02 PM, Caldarale, Charles R wrote: From: August Kleimo [mailto:aug...@kleimo.com] Subject: exception-message header reveals path to document root in 404 response. I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server is revealing the path to the document web root in an exception-message header when a missing page is requested. If you were really worried about security, you wouldn't be running a version of Tomcat that's 2.5 years old. Seriously, upgrade. Does anyone know of way to get rid of this header from the response? Use your own custom error page. Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header is coming from Tomcat. Nope. Here's Tomcat's standard 404 response: HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1027 Date: Fri, 10 Jan 2014 23:59:34 GMT Most likely Railo is using a friendly error page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
