Securing Tomcat 8 – Part 1

Vulnerability: Information disclosure in server header and error page

How to check: 

[root@localhost conf]# telnet localhost 8180
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/dummy.jsp HTTP/1.1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1014
Date: Wed, 09 Nov 2016 07:22:06 GMT

<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.18 – Error report</title><style type=”text/css”>H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 – /dummy.jsp</h1>

<p><b>type</b> Status report</p><p><b>message</b> <u>/dummy.jsp</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class=”line”><h3>Apache Tomcat/8.0.18</h3></body></html>
^C
Connection closed by foreign host.

Remediation:

Edit server.xml
<Connector port=”8180″ …
server=”MyServer”

<Valve className=”org.apache.catalina.valves.ErrorReportValve”
showReport=”false” showServerInfo=”false” />

 

[root@localhost conf]# telnet localhost 8180
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/dummy.jsp HTTP/1.1

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 118
Date: Wed, 09 Nov 2016 07:28:04 GMT
Server: MyServer

<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 – /dummy.jsp</h1></body></html>
^C
Connection closed by foreign host.

References:
https://www.owasp.org/index.php/Securing_tomcat
http://www.ibm.com/developerworks/library/se-banner/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s