hello chris, they only mention on port 8080 and no other info. I will try that telnet command and see.
On Thu, 6 Aug 2020 at 23:20, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Fang, > > On 8/5/20 22:16, FANG YAP wrote: > > Did that as well, but the scanner still flagged but it is to say is > > a false positive result in their scan? > Well, they are complaining that Tomcat is revealing its version number > (right?). That's not a false-positive. It's just ... I guess being > picky. I get it: it's best not to reveal anything. > > But if their scanner is still finding it, you aren't done yet. > > Can they tell you what request causes this "failure" to occur? Maybe > you fixed 404s but not 400s? > > Try making a request like this: > > $ telnet localhost 8080 > GET /foo HTML/4.0 > [newline] > [newline] > > See what comes back. That should come back as a 400 Bad Request and it > might include Tomcat's version information, etc. > > - -chris > > > On Wed, 5 Aug 2020, 04:21 Christopher Schultz, > <ch...@christopherschultz.net> > > wrote: > > > > Fang, > > > > On 8/3/20 23:10, FANG YAP wrote: > >>>> I have an issue on the subject mentioned as the vulnerability > >>>> scan flagged out. > >>>> > >>>> Plugin: 12085 Plugin Text: Apache Tomcat Default Files > >>>> Protocol: TCP Port: 8080 > >>>> > >>>> Apache Tomcat 8.5.55 (x64-bit machines) > >>>> > >>>> In my app folder (located in the webapp folder) I already had > >>>> the necessary error pages. Also indicated the error jsp file > >>>> in the app's web.xml. How to know what should be shown when > >>>> they(user) enter the wrong site for tomcat? > >>>> > >>>> Should it be showing this page below or it should show my > >>>> custom error page set in app's web.xml? HTTP 404 No Found The > >>>> webpage cannot be found.. Most likely causes:... - There > >>>> might be a typing error in the address - If you clicked on a > >>>> link, it may be out of date > >>>> > >>>> What you can try: ..... > > > > This doesn't look like a vuln to me. Your scanner is being > > overzealous. > > > > But if you want to replace the 404 Not Found page when you request > > /noapp and your application is deployed to /myapp then you can't > > fix the problem in "myapp". You have to make other arrangements. > > > > The easiest thing to do is deploy a ROOT application with all > > errors (including 404) pointing to a custom error page. You can do > > this in your ROOT application's WEB-INF/web.xml file. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sH7QACgkQHPApP6U8 > pFjvkBAAgYz1A1h3Doge7eQXBX04+fOnmg70Dpyj4wCZn5KYyGVD15AYTmNBMgD9 > VUOfOQ0TpMnoz+A4KiTovfh9sZL0zk+3iXbzwOLv3WD6XvkAM7KvX9YClASMHZeE > juk/jfcD7J5Af1y+vSkxB8CtrMba2SkouMkRmxwxF9aZzjbHpGFilZ/fNwzSxS5p > npoLpl789kwcopyQy5V21fMgUaCvEtWPcnvZ6T6O59NhRHNAWFFQw00yZS0SUd34 > jg7UuojpTn5a+tZXwpPYk93vXoEEkuwla4zoD9zgqMBIqZUL4NXDcdGpUNFvRSke > k8ZS4FMfoahX8RCLD5Sacybtn2qgV5h53ADUY2SXC2mP6lETnhcx7TF/b6Wf4bnK > fPyDCpQw+BN36KWibjLjvMXd7z+SvG7LlBngpn6DthQQWorTomXxRHSvPYXO7W1S > ALVc43cFe0Zv6+RdzJIQd5SKc861+jPNJwWfECfQ8yM4uiXXLj86BtBjETVDnbpx > zOLbnTHBzSCHZNK+HfZmIbTbq8Jj/StQNdnoOc4CDCBOU77U3YOHeVWmN5FCwN5L > gz++VTYAHvWZ9I6ZB5/5+7DRC4ug219uQr6IUO+POsxlFbLu8mV85vJqZ6AWX8vz > Dzch6xmPycXeZFADDgreycFNY9KY+rK/f2i/U3uhaUFw8t+8A2M= > =Ux+M > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >