Link to home
Start Free TrialLog in
Avatar of sam15
sam15

asked on

Apache Tomcat Default Files Vulnerability

Hi


I am trying to fix a reported tenable scan vulnerability with Tomcat 9.0.48.


"The default error page, default index page, example JSPs and /or example servlet are installed on the remote apache tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself"


II replaced the default index file and renamed the folders for the examples folder.


Do you know why it keeps showing up and how to fix it?

ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sam15
sam15

ASKER

Let me make sure I understand the proposed solution:

!) I have to update the tomcat/conf/web.xml with this line

<error-page>   <exception-type>java.lang.Throwable</exception-type>   <location>/error.jsp</location> </error-page>

2) I have to update the WEB-INF/web.xml under WEBAPPS with this

<error-page>
    <error-code>404</error-code>
    <location>/error/404.html</location>
</error-page>

Is this correct?

Also do i need to do #2 for every single folder (i.e ROOT, ADMINTOOLS, etc)  under /tomcat/webapps/?
Yes, suggest u do a test against changes.

As for all folder, I don't think needed. You can see this as may also be dependent on the version of servlet.
https://stackoverflow.com/questions/7066192/how-to-specify-the-default-error-page-in-web-xml
Avatar of sam15

ASKER

so which folder under /webapps do you do the change in #2 above?

Do we need to create a new error file "404.html"?
Under web-inf/web.xml and make sure 404.html is on same level as web-inf folder.
Avatar of sam15

ASKER

Hi

Under "/tomcat/webapps/" there are 14 folders and each folder was "/WEB-INF" in it. Which one are you referring to?

Also, there is no default "404.html". Do i need to  create a blank one or copy one from somewhere?

Thanks,


Can try ROOT webapp in tomcat and yes create that fileas that is what stated

<error-page>
    <error-code>404</error-code>
    <location>404.html</location>
</error-page>
Avatar of sam15

ASKER

It seems the article does not require to create a new "404.html" file.

<<The following solution is not ideal as it produces blank page because Tomcat cannot find the file specified,
but without a better solution this, at least, achieves the desired result>>>

When I try to simulate an error on web server, i get an HTTP Error404 message so there is no sensitive information displayed if that is what is triggering the vulnerability. I will see if the scanner still reports it tonight or not.

No webpage was found for the web address: https://www.abc.com/s
HTTP ERROR 404





thanks for sharing, the page can be better customised. eventually it is to remove those sensitive data.
https://examples.javacodegeeks.com/enterprise-java/tomcat/apache-tomcat-hardening-tutorial/#toc1000
Avatar of sam15

ASKER

It seems the change is working as I did not see in last night scan.  I added this to /tomcat/conf/web.xml

        <error-page>
          <exception-type>java.lang.Throwable</exception-type>
          <location>/error.jsp</location>
          </error-page>
   
          <error-page>
              <error-code>404</error-code>
              <location>/error.jsp</location>
          </error-page>
          <error-page>
              <error-code>405</error-code>
              <location>/error.jsp</location>
          </error-page>

-- Add new file "error.jsp" to the ROOT folder
/tomcat/webapps/ROOT

<html>

<body>

<h1>    <center>The Page You looking for is not available, please connect with administrator.</center>
</h1>

</body>
</html>

Open in new window


I also change the default "index.jsp" in ROOT folder to display a simple message that server is running but I lost the default page for tomcat. Do I have to do this or this default "index.jsp" file was not causing the problem?



assuming you want to override the default page. ROOT remains as the main HOME

https://cwiki.apache.org/confluence/display/tomcat/HowTo#HowTo-HowdoIoverridethedefaulthomepageloadedbyTomcat?

How do I override the default home page loaded by Tomcat?

After successfully installing Tomcat, you usually test it by loading http://localhost:8080 . It is quite easy to override that page. Inside $TOMCAT_HOME/conf/web.xml there is a section called <welcome-file-list> and it looks like this:
    <welcome-file-list>        
      <welcome-file>index.html</welcome-file>       
      <welcome-file>index.htm</welcome-file>        
      <welcome-file>index.jsp</welcome-file>    
    </welcome-file-list>

Open in new window

The default servlet attempts to load the index.* files in the order listed. You may easily override the index.jsp file by creating an index.html file at $TOMCAT_HOME/webapps/ROOT. It's somewhat common for that file to contain a new static home page or a redirect to a servlet's main page. A redirect would look like:
<html> 
<head> <meta http-equiv="refresh" content="0;URL=http://mydomain.com/some/path/to/servlet/homepage/"> </head> 
<body> </body> 
</html>

Open in new window

This change takes effect immediately and does not require a restart of Tomcat.

Avatar of sam15

ASKER

Yes, but do  I need to override the disable the default tomcat welcome page to fix this vulnerability or not?

I sort of like the default webpage if it is not causing any security issues.
i dont think so why we need to replace the default pg. the error default pg is good enough.
That said, the scanner may picked up default installation start page which is low risk.

Correcting this issue (showing the Tomcat home page) has multiple ways to correct this issue and vary depending on your environment's/security's requirements. The simplest solution would be to rename the index file inside the <Tomcat_directory>webapps/ROOT directory or you could rename the ROOT app to another folder name (or delete it if you don't want to manage tomcat with the tomcat manager app).

another means is to disable (comment out as below) the default start page though not many will want to and likely replacement page is done instead (need to rename the welcome pages accordingly if they are not the index.xxx.

0. Right click the web.xml file (under ROOT) and select edit:

1. Scroll to the bottom of the file and comment out the following:

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

2. Example to comment out the lines:
  <!--
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
  -->  
3. Restart Tomcat service