Avatar of sam15
sam15
 asked on

Apache Tomcat Default Files Vulnerability

Hi


I am trying to fix a reported tenable scan vulnerability with Tomcat 9.0.48.


"The default error page, default index page, example JSPs and /or example servlet are installed on the remote apache tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself"


II replaced the default index file and renamed the folders for the examples folder.


Do you know why it keeps showing up and how to fix it?

* TomcatApache Web Server* vulnerabilitySecurity

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
sam15

ASKER
Let me make sure I understand the proposed solution:

!) I have to update the tomcat/conf/web.xml with this line

<error-page>   <exception-type>java.lang.Throwable</exception-type>   <location>/error.jsp</location> </error-page>

2) I have to update the WEB-INF/web.xml under WEBAPPS with this

<error-page>
    <error-code>404</error-code>
    <location>/error/404.html</location>
</error-page>

Is this correct?

Also do i need to do #2 for every single folder (i.e ROOT, ADMINTOOLS, etc)  under /tomcat/webapps/?
btan

Yes, suggest u do a test against changes.

As for all folder, I don't think needed. You can see this as may also be dependent on the version of servlet.
https://stackoverflow.com/questions/7066192/how-to-specify-the-default-error-page-in-web-xml
sam15

ASKER
so which folder under /webapps do you do the change in #2 above?

Do we need to create a new error file "404.html"?
Your help has saved me hundreds of hours of internet surfing.
fblack61
btan

Under web-inf/web.xml and make sure 404.html is on same level as web-inf folder.
sam15

ASKER
Hi

Under "/tomcat/webapps/" there are 14 folders and each folder was "/WEB-INF" in it. Which one are you referring to?

Also, there is no default "404.html". Do i need to  create a blank one or copy one from somewhere?

Thanks,


btan

Can try ROOT webapp in tomcat and yes create that fileas that is what stated

<error-page>
    <error-code>404</error-code>
    <location>404.html</location>
</error-page>
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
sam15

ASKER
It seems the article does not require to create a new "404.html" file.

<<The following solution is not ideal as it produces blank page because Tomcat cannot find the file specified,
but without a better solution this, at least, achieves the desired result>>>

When I try to simulate an error on web server, i get an HTTP Error404 message so there is no sensitive information displayed if that is what is triggering the vulnerability. I will see if the scanner still reports it tonight or not.

No webpage was found for the web address: https://www.abc.com/s
HTTP ERROR 404





btan

thanks for sharing, the page can be better customised. eventually it is to remove those sensitive data.
https://examples.javacodegeeks.com/enterprise-java/tomcat/apache-tomcat-hardening-tutorial/#toc1000
sam15

ASKER
It seems the change is working as I did not see in last night scan.  I added this to /tomcat/conf/web.xml

        <error-page>
          <exception-type>java.lang.Throwable</exception-type>
          <location>/error.jsp</location>
          </error-page>
   
          <error-page>
              <error-code>404</error-code>
              <location>/error.jsp</location>
          </error-page>
          <error-page>
              <error-code>405</error-code>
              <location>/error.jsp</location>
          </error-page>

-- Add new file "error.jsp" to the ROOT folder
/tomcat/webapps/ROOT

<html>

<body>

<h1>    <center>The Page You looking for is not available, please connect with administrator.</center>
</h1>

</body>
</html>

Open in new window


I also change the default "index.jsp" in ROOT folder to display a simple message that server is running but I lost the default page for tomcat. Do I have to do this or this default "index.jsp" file was not causing the problem?



Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
btan

assuming you want to override the default page. ROOT remains as the main HOME

https://cwiki.apache.org/confluence/display/tomcat/HowTo#HowTo-HowdoIoverridethedefaulthomepageloadedbyTomcat?

How do I override the default home page loaded by Tomcat?

After successfully installing Tomcat, you usually test it by loading http://localhost:8080 . It is quite easy to override that page. Inside $TOMCAT_HOME/conf/web.xml there is a section called <welcome-file-list> and it looks like this:
    <welcome-file-list>        
      <welcome-file>index.html</welcome-file>       
      <welcome-file>index.htm</welcome-file>        
      <welcome-file>index.jsp</welcome-file>    
    </welcome-file-list>

Open in new window

The default servlet attempts to load the index.* files in the order listed. You may easily override the index.jsp file by creating an index.html file at $TOMCAT_HOME/webapps/ROOT. It's somewhat common for that file to contain a new static home page or a redirect to a servlet's main page. A redirect would look like:
<html> 
<head> <meta http-equiv="refresh" content="0;URL=http://mydomain.com/some/path/to/servlet/homepage/"> </head> 
<body> </body> 
</html>

Open in new window

This change takes effect immediately and does not require a restart of Tomcat.

sam15

ASKER
Yes, but do  I need to override the disable the default tomcat welcome page to fix this vulnerability or not?

I sort of like the default webpage if it is not causing any security issues.
btan

i dont think so why we need to replace the default pg. the error default pg is good enough.
That said, the scanner may picked up default installation start page which is low risk.

Correcting this issue (showing the Tomcat home page) has multiple ways to correct this issue and vary depending on your environment's/security's requirements. The simplest solution would be to rename the index file inside the <Tomcat_directory>webapps/ROOT directory or you could rename the ROOT app to another folder name (or delete it if you don't want to manage tomcat with the tomcat manager app).

another means is to disable (comment out as below) the default start page though not many will want to and likely replacement page is done instead (need to rename the welcome pages accordingly if they are not the index.xxx.

0. Right click the web.xml file (under ROOT) and select edit:

1. Scroll to the bottom of the file and comment out the following:

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

2. Example to comment out the lines:
  <!--
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
  -->  
3. Restart Tomcat service 
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.