On 11/01/2014 00:02, Caldarale, Charles R wrote: >> From: August Kleimo [mailto:aug...@kleimo.com] >> Subject: "exception-message" header reveals path to document root in 404 >> response. > >> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server >> is revealing the path to the document web root in an "exception-message" >> header when a missing page is requested. > > If you were really worried about security, you wouldn't be running a version > of Tomcat that's 2.5 years old. Seriously, upgrade.
You have to wonder about the quality of a compliance scan that complains about the exposure of a completely standard path for web content but doesn't complain about running a server with 9 important, 2 moderate and 1 low security vulnerabilities. While a number of those vulnerabilities may not impact the server, several of the DoS vulnerabilities certainly will. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org